Winter Vivern APT Group: Targets, Tactics, and Remediations

A lesser-known advanced persistent threat (APT) group called Winter Vivern has been linked to campaigns targeting government officials and private businesses.

Winter Vivern, the APT group that was initially discovered by Domain Tools in 2021, was behind malicious campaigns that targeted organizations in several countries, such as India, Lithuania, Slovakia, the Vatican, and Italy. Despite being less examined in comparison to other APT teams, the group has recently been found by SentinelOne to have targeted Ukrainian and Polish organizations, including a telecommunications company.

 

Targets and Tactics

As per the statement given by senior threat researcher Tom Hegel, Winter Vivern’s focus on private businesses, particularly telecommunications organizations that provide assistance to Ukraine in the ongoing conflict, is of significant concern.

According to a recent analysis by Tom Hegel from SentinelOne’s SentinelLabs, Winter Vivern targeted specific government websites in early 2023.

Winter Vivern’s campaigns typically use phishing lures that are modified versions of legitimate government documents of particular interest to the intended target. They also sometimes create copies of legitimate government websites to phish for credentials. Recently, the group targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine.

Winter Vivern employs a range of tools for its operations, including some legitimate Windows utilities. However, it also has its own malware that it can use. One such tool is Aperetif, which is disguised as a malware scanner. This trojan automates the collection of victim details, maintains access, and sends outbound signals to the actor-controlled domain marakanas[.]com. WHOAMI within PowerShell is used by the trojan during its initial activity to send outbound signals for further instructions and/or downloads. Winter Vivern delivers Aperetif through compromised WordPress sites, although it has also demonstrated the capability to exploit vulnerabilities to gain initial access.

Of particular concern is Winter Vivern’s targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing conflict.

Upon reviewing less recent activity, it was found that in December 2022, Winter Vivern targeted individuals who were associated with the Hochuzhit.com (“I Want to Live”) project, which is a Ukraine government website that provides guidance and instructions to Russian and Belarus Armed Forces who wish to surrender voluntarily in the war. The group utilized a macro-enabled Excel Spreadsheet to infect the target in these attacks.

 

Winter Vivern’s Strategic Intent

Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments. The group is not as well-known as some of the other APT teams, but its ability to lure targets into the attacks and evade detection has made it a formidable force in the cyber domain.

 

Some IOCs and detection methods related to Winter Vivern:

  1. IOC:
  • Malware: Aperetif
  • Domain: marakanas[.]com
  • IP: 185.253.135[.]122, 185.253.135[.]125, 185.253.135[.]123, 31.28.168[.]84
  • File hashes: 3c3b144ccfa7e0ecb8d7a71f594a40e45e1daaaaf8c5f1d4a4a4c4e824a8aa97, 3582b5ed5a5cde24002d7fb4c4b4f7b4c52ee8f22b67aa2142fcdd7e2f0d1298, 6623b678f758878c0ed4130760b7f6d360f36961658b8211dbd6be797065c59b
  1. Detection methods:
  • Monitor for suspicious network traffic to known Winter Vivern domains or IPs.
  • Monitor for attempts to access known Winter Vivern C2 infrastructure.
  • Analyze email attachments for macro-enabled Excel spreadsheets.
  • Implement web filtering to block access to known malicious domains or IP addresses.
  • Implement file integrity monitoring (FIM) to detect unauthorized modifications to system files or logs.
  • Implement endpoint detection and response (EDR) solutions to detect and respond to malware infections.
  • Conduct regular security awareness training to educate employees on the latest phishing tactics and how to avoid them.

These IOCs and detection methods can be integrated into firewalls, SIEM, and SOAR solutions to enhance threat detection and response capabilities.

Here are some potential remediation steps that organizations could consider to mitigate the threat posed by Winter Vivern:

  • User education: Educate employees about the risks of phishing attacks and the importance of not opening suspicious email attachments or clicking on links from unknown sources.
  • Multi-factor authentication (MFA): Implement MFA for all remote access to sensitive systems and applications, to help prevent unauthorized access even if login credentials are compromised.
  • Vulnerability management: Implement a vulnerability management program to identify and remediate vulnerabilities in a timely manner, including patching known vulnerabilities in software and systems.
  • Security awareness training: Conduct regular security awareness training sessions for employees to help them identify and report potential security incidents, including suspicious emails or activity on their systems.
  • Endpoint protection: Deploy endpoint protection software on all devices, including servers and workstations, to help detect and prevent malware infections.
  • Network segmentation: Implement network segmentation to limit the lateral movement of threats like Winter Vivern once they gain access to the network.
  • It’s important to note that these steps may not completely eliminate the threat posed by Winter Vivern or any other APT group, but they can help reduce the risk and improve an organization’s overall security posture.