Winter Vivern | Uncovering a Wave of Global Espionage

MITRE Techniques

• [T1566] Phishing – The threat actor used phishing websites and credential phishing, including government-domain mimicry to prompt downloads and capture credentials. ‘The threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs.’
• [T1204.002] User Execution: Malicious File – Macro-enabled Excel used to infect targets. ‘In these attacks the threat actor made use of a macro-enabled Excel spreadsheet to infect the target.’
• [T1059.001] PowerShell – PowerShell invoked via a macro and used to beacon to a remote URL. ‘PowerShell is called through a macro. Specifically, Invoke-Expression cmdlet is executed, beaconing to the malicious destination of ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php.’
• [T1059.003] Windows Command Shell – Batch scripts disguised as virus scanners prompt malware downloads. ‘utilizing batch scripts disguised as virus scanners to prompt downloads of malware from attacker-controlled servers.’
• [T1189] Drive-by Compromise – Attackers mimic government domains to distribute malicious downloads via compromised pages. ‘targeted government websites by creating individual pages on a single malicious domain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine.’
• [T1105] Ingress Tool Transfer – Beaconing outbound for further instructions and/or downloads from attacker-controlled servers. ‘beaconing outbound for further instructions and/or downloads.’
• [T1190] Exploit Public-Facing Application – Exploiting application vulnerabilities to compromise targets or staging servers. ‘exploiting application vulnerabilities to compromise specific targets or staging servers.’