Saturday, January 18, 2025
HomeCyber AttackHive0117 Group Attacking Employees of Energy, Finance, & Software Industries

Hive0117 Group Attacking Employees of Energy, Finance, & Software Industries

Published on

SIEM as a Service

Follow Us on Google News

Hive0117 group has launched a new phishing campaign, which targets individuals working for significant industries in the energy, banking, transportation, and software security sectors with headquarters in Russia, Kazakhstan, Latvia, and Estonia.

This group is known for disseminating the fileless malware known as DarkWatchman, which has keylogging, information-gathering, and secondary payload deployment capabilities.

IBM X-Force reports that with the use of emerging regulations connected with the ongoing crisis in Ukraine to conduct operations, together with the varied functionality and fileless nature of DarkWatchman malware, it is quite probable that Hive0117 represents a danger to in-region entities and businesses.

New Hive0117 Phishing Campaign

The emails are sent to people’s work email accounts, and use an electronic summons for conscription in the Russian Armed Forces as their phishing lure.

Actors associated with Hive0117 sent emails in Russian with subject lines that seemed to be Orders for mobilization as of 10 May 2023.

“For authenticity, the emails include multiple images along with logos of the official coat of arms of the Russian Ministry of Defense,” according to the information shared with Cyber Security News.

“Machine translation of the email shows references to the then-recent legislation regarding guidance surrounding mobilization to the Russian Armed Forces.”

Hive0117 phish imitating electronic conscription notice

The email sender is a fictitious organization of the Russian Federation’s Ministry of Defense’s Main Directorate of the Military Commissariat.

This email archive file attachments include an executable that, when run, installs DarkWatchman malware, which works similarly to the Hive0117 malware described in April 2022.

DarkWatchman Malware infection chain

The downloader files download files to the%TEMP% folder, where a self-extracting archive (SFX) installer dumps two files: a JS file and a file containing a blob of hexadecimal characters.

With the SFX file’s path as an input, the JS is executed by the SFX file. The blob contains encrypted data that, when decoded, contains a block of base64-encoded PowerShell that implements a keylogger, and the JS file contains obfuscated code that serves as the backdoor. 

The setup has a note that reads, “The comment below contains SFX script commands” in Russian.

“The JavaScript backdoor is executed using the Windows Script Host (WSH) environment, wscript.exe, and utilizes the Windows Registry as a storage mechanism for configuration and other data to avoid writing to disk and avoid detection by anti-virus software,” researchers explain.

Every time Hive0117 begins, a UID string is generated and utilized for various functions. The backdoor produces a scheduled job that is named with the UID and has elevated rights to run as if an admin user first launched it.

The backdoor searches for the keylogger-containing file opens it, reads the data within, and uses XOR operations to decode it.

A bit more advanced capabilities may be seen in the fileless nature of the DarkWatchman malware. Therefore, the entities in the specific region should maintain a high level of defensive protection.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....