Hive0117 Group Attacking Employees of Energy, Finance, & Software Industries

Hive0117 group has launched a new phishing campaign, which targets individuals working for significant industries in the energy, banking, transportation, and software security sectors with headquarters in Russia, Kazakhstan, Latvia, and Estonia.

This group is known for disseminating the fileless malware known as DarkWatchman, which has keylogging, information-gathering, and secondary payload deployment capabilities.

IBM X-Force reports that with the use of emerging regulations connected with the ongoing crisis in Ukraine to conduct operations, together with the varied functionality and fileless nature of DarkWatchman malware, it is quite probable that Hive0117 represents a danger to in-region entities and businesses.

New Hive0117 Phishing Campaign

The emails are sent to people’s work email accounts, and use an electronic summons for conscription in the Russian Armed Forces as their phishing lure.

Actors associated with Hive0117 sent emails in Russian with subject lines that seemed to be Orders for mobilization as of 10 May 2023.

“For authenticity, the emails include multiple images along with logos of the official coat of arms of the Russian Ministry of Defense,” according to the information shared with Cyber Security News.

“Machine translation of the email shows references to the then-recent legislation regarding guidance surrounding mobilization to the Russian Armed Forces.”

Hive0117 phish imitating electronic conscription notice

The email sender is a fictitious organization of the Russian Federation’s Ministry of Defense’s Main Directorate of the Military Commissariat.

This email archive file attachments include an executable that, when run, installs DarkWatchman malware, which works similarly to the Hive0117 malware described in April 2022.

DarkWatchman Malware infection chain

The downloader files download files to the%TEMP% folder, where a self-extracting archive (SFX) installer dumps two files: a JS file and a file containing a blob of hexadecimal characters.

With the SFX file’s path as an input, the JS is executed by the SFX file. The blob contains encrypted data that, when decoded, contains a block of base64-encoded PowerShell that implements a keylogger, and the JS file contains obfuscated code that serves as the backdoor. 

The setup has a note that reads, “The comment below contains SFX script commands” in Russian.

“The JavaScript backdoor is executed using the Windows Script Host (WSH) environment, wscript.exe, and utilizes the Windows Registry as a storage mechanism for configuration and other data to avoid writing to disk and avoid detection by anti-virus software,” researchers explain.

Every time Hive0117 begins, a UID string is generated and utilized for various functions. The backdoor produces a scheduled job that is named with the UID and has elevated rights to run as if an admin user first launched it.

The backdoor searches for the keylogger-containing file opens it, reads the data within, and uses XOR operations to decode it.

A bit more advanced capabilities may be seen in the fileless nature of the DarkWatchman malware. Therefore, the entities in the specific region should maintain a high level of defensive protection.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address…

22 minutes ago

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team Assessment…

30 minutes ago

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload Scheduler…

55 minutes ago

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions of…

1 hour ago

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

17 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

17 hours ago