Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware
Ukrainian scientific research institutions have been targeted by a spear-phishing campaign using malware known as HATVIBE and CHERRYSPY. The Computer Emergency Response Team of Ukraine (CERT-UA) identified the threat actor behind the attacks as UAC-0063, which is believed to be linked to the Russian nation-state group APT28. The attackers used a compromised email account to send phishing messages with a macro-laced Microsoft Word attachment. When the macros are enabled, HATVIBE is executed, establishing persistence through a scheduled task and deploying the CHERRYSPY Python backdoor, which can execute remote commands. CERT-UA also noted that HATVIBE exploits a critical vulnerability in HTTP File Server (CVE-2024-23692) for initial access. Additionally, CERT-UA reported another phishing campaign targeting Ukrainian defense enterprises with malicious PDF files that download a Lua-based loader called DROPCLUE, which in turn downloads a legitimate remote desktop program while displaying a decoy document. This attack was attributed to a cluster known as UAC-0180. Malware: CHERRYSPY, HATVIBE CVEs: CVE-2024-23692 [View Article](https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html)