A hacking group aligned with Russia is reportedly engaged in a cyber espionage initiative spanning Europe and Asia, as indicated by Recorded Future. The Insikt Group, which is the threat intelligence division of Recorded Future, disclosed in a report dated November 21 that a group identified as TAG-110 has been deploying custom malware to infiltrate government agencies, human rights organizations, and educational institutions.
The researchers have pinpointed 62 distinct victims affected by two strains of TAG-110’s custom malware, known as HatVibe and CherrySpy, across eleven nations, with the highest concentration of victims located in Central Asia. This recent campaign is believed to have commenced in July 2024, targeting 62 unique victims from countries including Armenia, China, Greece, Hungary, India, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.
The majority of the victims are situated in Central Asian nations, particularly Tajikistan, Kyrgyzstan, Turkmenistan, and Kazakhstan. Noteworthy targets include the National Center for Human Rights of the Republic of Uzbekistan, KMG-Security, a subsidiary of the Kazakh state-owned oil and gas company KazMunayGas, and a Tajik educational and research institution.
Earlier reports have indicated that TAG-110, in addition to its primary focus on Central Asia, has also targeted secondary nations such as India, Israel, Mongolia, and Ukraine. The Insikt Group posits that TAG-110’s objectives are to gather intelligence that would enhance Russia’s military operations in Ukraine and to obtain insights into geopolitical developments in adjacent countries.
Unpacking TAG-110’s Latest Espionage Campaign
Victims have been affected by two custom malware variants from TAG-110, namely HatVibe and CherrySpy, across a total of eleven nations.
HatVibe functions as a specialized HTML application (HTA) loader, primarily intended to deploy additional malware, including the CherrySpy backdoor, while also possessing the capability to execute arbitrary VBScript. It is likely disseminated through malicious Word documents or by exploiting vulnerabilities such as CVE-2024-23692. HatVibe ensures persistence by creating a scheduled task that executes the HTA file via mshta.exe. The loader incorporates two layers of obfuscation: VBScript encoding and XOR encryption, which complicate detection and analysis efforts.
CherrySpy, a backdoor developed in Python, is utilized for espionage purposes. It is deployed alongside a Python interpreter by HatVibe and maintains its persistence through scheduled tasks. In its most recent campaign, CherrySpy has been compiled into a Python Dynamic Module (.pyd) file to enhance its evasion capabilities.
The backdoor establishes a secure connection with its command-and-control server through HTTP POST requests, employing RSA and AES encryption for both key exchange and data protection. Additionally, CherrySpy incorporates unique identifiers, including a hard-coded 24-character ID and an SHA-256 checksum, to verify its integrity during communication. The group also utilizes other custom malware, such as LogPie and StilLarch.
TAG-110, A Likely Subset of APT28
The recent campaign, reportedly initiated in July 2024, corresponds with the historical reporting of UAC-0063, which was first detected by Ukraine’s Computer Emergency Response Team (CERT-UA) in May 2023. This activity has been attributed with moderate confidence to the Russian state-sponsored advanced persistent threat (APT) group known as BlueDelta (APT28). CERT-UA indicated that UAC-0063 had employed CherrySpy as early as early 2023, particularly targeting Central Asia.
Historically, APT28 has been linked to cyber espionage efforts throughout Central Asia. According to the Insikt Group report, “While CERT-UA’s moderate confidence attribution to BlueDelta cannot be confirmed at this time, TAG-110’s activity does overlap with BlueDelta’s strategic interests in the areas of national security, military operations, and geopolitical influence.”
Recorded Future’s Recommended Mitigation Measures
The researchers project that TAG-110 will likely engage in similar operations in the near future, maintaining a particular emphasis on the post-Soviet Central Asian nations situated along Russia’s borders, as well as Ukraine and its allied countries.
To counteract and reduce the impact of TAG-110, Recorded Future has proposed the following measures:
• Implementing intrusion detection systems (IDS), intrusion prevention systems (IPS), or other network defense strategies
• Utilizing Snort, Suricata, and YARA rules to monitor network communications associated with HatVibe and CherrySpy, and conducting searches for infections within the network
• Employing Process Monitor to track Scheduled Tasks created via mshta.exe, thereby identifying HatVibe’s efforts to maintain persistence
• Ensuring timely updates and patches for vulnerable software
• Promoting robust security awareness through proactive and interactive training sessions
• Educating users to identify phishing emails and to exercise caution when interacting with links or attachments in emails
• Activating multifactor authentication (MFA) wherever feasible
