Hive0117 Group Attacking Employees of Energy, Finance, & Software Industries

Hive0117 group has launched a new phishing campaign, which targets individuals working for significant industries in the energy, banking, transportation, and software security sectors with headquarters in Russia, Kazakhstan, Latvia, and Estonia.

This group is known for disseminating the fileless malware known as DarkWatchman, which has keylogging, information-gathering, and secondary payload deployment capabilities.

IBM X-Force reports that with the use of emerging regulations connected with the ongoing crisis in Ukraine to conduct operations, together with the varied functionality and fileless nature of DarkWatchman malware, it is quite probable that Hive0117 represents a danger to in-region entities and businesses.

New Hive0117 Phishing Campaign

The emails are sent to people’s work email accounts, and use an electronic summons for conscription in the Russian Armed Forces as their phishing lure.

Actors associated with Hive0117 sent emails in Russian with subject lines that seemed to be Orders for mobilization as of 10 May 2023.

“For authenticity, the emails include multiple images along with logos of the official coat of arms of the Russian Ministry of Defense,” according to the information shared with Cyber Security News.

“Machine translation of the email shows references to the then-recent legislation regarding guidance surrounding mobilization to the Russian Armed Forces.”

The email sender is a fictitious organization of the Russian Federation’s Ministry of Defense’s Main Directorate of the Military Commissariat.

This email archive file attachments include an executable that, when run, installs DarkWatchman malware, which works similarly to the Hive0117 malware described in April 2022.

The downloader files download files to the%TEMP% folder, where a self-extracting archive (SFX) installer dumps two files: a JS file and a file containing a blob of hexadecimal characters.

With the SFX file’s path as an input, the JS is executed by the SFX file. The blob contains encrypted data that, when decoded, contains a block of base64-encoded PowerShell that implements a keylogger, and the JS file contains obfuscated code that serves as the backdoor. 

The setup has a note that reads, “The comment below contains SFX script commands” in Russian.

“The JavaScript backdoor is executed using the Windows Script Host (WSH) environment, wscript.exe, and utilizes the Windows Registry as a storage mechanism for configuration and other data to avoid writing to disk and avoid detection by anti-virus software,” researchers explain.

Every time Hive0117 begins, a UID string is generated and utilized for various functions. The backdoor produces a scheduled job that is named with the UID and has elevated rights to run as if an admin user first launched it.

The backdoor searches for the keylogger-containing file opens it, reads the data within, and uses XOR operations to decode it.

A bit more advanced capabilities may be seen in the fileless nature of the DarkWatchman malware. Therefore, the entities in the specific region should maintain a high level of defensive protection.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.