G1035 Winter Vivern
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.25134
| Item | Value |
|---|---|
| ID | G1035 |
| Associated Names | TA473, UAC-0114 |
| Version | 1.0 |
| Created | 29 July 2024 |
| Last Modified | 10 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| TA473 | 4 |
| UAC-0114 | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | Winter Vivern registered domains mimicking other entities throughout various campaigns.2 |
| enterprise | T1583.003 | Virtual Private Server | Winter Vivern used adversary-owned and -controlled servers to host web vulnerability scanning applications.5 |
| enterprise | T1595 | Active Scanning | - |
| enterprise | T1595.002 | Vulnerability Scanning | Winter Vivern has used remotely-hosted instances of the Acunetix vulnerability scanner.5 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Winter Vivern uses HTTP and HTTPS protocols for exfiltration and command and control activity.51 |
| enterprise | T1119 | Automated Collection | Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.1 |
| enterprise | T1020 | Automated Exfiltration | Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.1 |
| enterprise | T1059 | Command and Scripting Interpreter | Winter Vivern used XLM 4.0 macros for initial code execution for malicious document files.2 |
| enterprise | T1059.001 | PowerShell | Winter Vivern passed execution from document macros to PowerShell scripts during initial access operations.2 Winter Vivern used batch scripts that called PowerShell commands as part of initial access and installation operations.1 |
| enterprise | T1059.003 | Windows Command Shell | Winter Vivern distributed Windows batch scripts disguised as virus scanners to prompt download of malicious payloads using built-in system tools.51 |
| enterprise | T1059.007 | JavaScript | Winter Vivern delivered malicious JavaScript to exploit targets when exploiting Roundcube Webmail servers.3 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.006 | Web Services | Winter Vivern has used compromised WordPress sites to host malicious payloads for download.5 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Winter Vivern delivered exploit payloads via base64-encoded payloads in malicious email messages.3 |
| enterprise | T1189 | Drive-by Compromise | Winter Vivern created dedicated web pages mimicking legitimate government websites to deliver malicious fake anti-virus software.1 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | Winter Vivern delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited email servers.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.1 |
| enterprise | T1190 | Exploit Public-Facing Application | Winter Vivern has exploited known and zero-day vulnerabilities in software usch as Roundcube Webmail servers and the “Follina” vulnerability.34 |
| enterprise | T1083 | File and Directory Discovery | Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers.3 |
| enterprise | T1105 | Ingress Tool Transfer | Winter Vivern executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.003 | Web Portal Capture | Winter Vivern registered and hosted domains to allow for creation of web pages mimicking legitimate government email logon sites to collect logon information.5 |
| enterprise | T1036 | Masquerading | Winter Vivern created specially-crafted documents mimicking legitimate government or similar documents during phishing campaigns.5 |
| enterprise | T1036.004 | Masquerade Task or Service | Winter Vivern has distributed malicious scripts and executables mimicking virus scanners.5 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Winter Vivern leverages malicious attachments delivered via email for initial access activity.251 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Winter Vivern executed PowerShell scripts that would subsequently attempt to establish persistence by creating scheduled tasks objects to periodically retrieve and execute remotely-hosted payloads.2 |
| enterprise | T1113 | Screen Capture | Winter Vivern delivered PowerShell scripts capable of taking screenshots of victim machines.1 |
| enterprise | T1082 | System Information Discovery | Winter Vivern script execution includes basic victim information gathering steps which are then transmitted to command and control servers.2 |
| enterprise | T1033 | System Owner/User Discovery | Winter Vivern PowerShell scripts execute whoami to identify the executing user.5 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Winter Vivern has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.51 |
References
-
CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024. ↩↩↩↩↩↩↩↩
-
Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024. ↩↩↩↩↩↩
-
Michael Raggi & The Proofpoint Threat Research Team. (2023, March 30). Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe. Retrieved July 29, 2024. ↩↩↩
-
Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩