Just Another Blue TeamerHappy Friday everyone!
Bitdefender researcher Martin Zugec recently published a report that involved UAC-0063 targeting high-value targets and organizations in Central Asia and Europe that included government entities and diplomatic missions.
According to the report, initial access was gained when the actor stole a legitimate document, weaponized it, and sent it to the target. The email contains a link, not the actual document, and when the target downloads it and enables macros, triggers a VBA script. A new temporary document is created in the %LocalAppData%\Tmep directory and stores the variables form the initial document. Once the variables are extracted the #HATVIBE malware (a backdoor designed to receive VBS modules for exection on compromised hosts) enters the picture and a scheduled task is created to execute it every 4 minutes for persistence. Then, HATVIBE contacts the C2 server for further instructions.
Now this is just a brief summary but the report contains PLENTY of more technical details, so I would encourage you to go and read it yourself and see what I missed! Enjoy and Happy Hunting!
UAC-0063: Cyber Espionage Operation Expanding from Central Asia
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
