HATVIBE and CHERRYSPY Malware Detection: Cyber-Espionage Campaign Conducted by TAG-110 aka UAC-0063 Targeting Organizations in Asia and Europe
Table of contents:
For nearly three years since the full-scale war in Ukraine began, cyber defenders have reported a growing number of russia-aligned offensive operations targeting Ukrainian organizations to collect intelligence, with attacks increasingly expanding their geographical scope. The russia-backed hacking collective tracked as TAG-110 or UAC-0063 has been observed behind an ongoing cyber-espionage campaign against organizations in Central Asia, East Asia, and Europe. Adversaries leverage HATVIBE and CHERRYSPY malware tools to mainly focus on targeting state bodies, human rights organizations, and the educational sector.
Detecting TAG-110 (UAC-0063) Attacks Leveraging HATVIBE and CHERRYSPY
The Russia-affiliated TAG-110 group has remained consistently active in the cyber threat landscape, using Ukraine as a testing ground for new attack tactics and techniques. These verified malicious methods are further applied to global targets of interest to the Moscow government. The group’s ability to test diverse adversary toolkits and utilize various infection vectors during the initial stages of an attack highlights the importance of proactive defense strategies.
SOC Prime’s Platform for collective cyber defense offers a relevant collection of detection algorithms backed by a complete product suite for Advanced Threat Detection, Automated Threat Hunting, and AI-Powered Detection engineering, helping organizations to detect intrusions early and enhance their cybersecurity posture.
Hit the Explore Detections button below to access a detection stack addressing the latest TAG-110 attacks against Asia and Europe with the use of HATVIBE and CHERRYSPY malware. All detection algorithms are mapped to the MITRE ATT&CK® framework, enriched with actionable CTI and metadata, and are ready to deploy into 30+ SIEM, EDR, and Data Lake solutions.
To analyze TAG-110 (aka UAC-0063) group activity retrospectively and gain more context on TTPs used in attacks, cyber defenders might also access a dedicated collection of Sigma rules by searching Threat Detection Marketplace with “UAC-0063” tag.
TAG-110 aka UAC-0063 Attack Analysis Spreading HATVIBE and CHERRYSPY Malware
Researchers from Insikt Group recently uncovered the activity cluster TAG-110, which has been conducting cyber-offensive operations since at least 2021. The group has shown overlap with UAC-0063, monitored by Ukraine’s CERT-UA, and is potentially associated with the APT28 hacking collective (UAC-0001). The latter is directly linked to the Main Directorate of the General Staff of russia’s Armed Forces.
In the latest campaign, TAG-110 primarily attacks organizations in Central Asia, East Asia, and Europe. Defenders have identified 60+ victims from eleven countries, including significant incidents in Kazakhstan, Kyrgyzstan, and Uzbekistan. The group’s activities are likely part of russia’s broader strategy to collect intelligence on geopolitical events and exert influence over post-Soviet regions.
In the ongoing attacks, adversaries apply custom malware tools dubbed HATVIBE and CHERRYSPY. HATVIBE serves as a custom HTML application loader to deliver CHERRYSPY, a Python-based backdoor designed for data theft and espionage. Initial access is typically gained via a phishing attack vector or by exploiting vulnerabilities in web-facing services such as the Rejetto HTTP File Server. HATVIBE maintains persistence by using scheduled tasks executed through the mshta.exe utility. It employs obfuscation methods such as VBScript encoding and XOR encryption. After deployment, it communicates with C2 servers via HTTP PUT requests, sending essential system information. CHERRYSPY enhances HATVIBE by facilitating secure data exfiltration. It employs strong encryption techniques, such as RSA and AES, to communicate with its C2 servers. TAG-110 utilizes CHERRYSPY to track victims’ systems and extract sensitive data, primarily targeting government and research organizations.
Notably, in mid-summer 2024, UAC-0063 was experimenting with the same malicious samples and weaponized a known HFS HTTP File Server vulnerability in attacks against Ukrainian research institutions. Earlier, in May 2024, the group targeted organizations in Ukraine, Central and East Asia, Israel, and India via spoofed emails.
To mitigate TAG-110 and similar threats, organizations are advised to timely patch security flaws to minimize the risks of exploits, enforce multi-factor authentication and other additional layers of security protection, and improve cybersecurity awareness.
As nation-backed APT groups continue to carry out sophisticated campaigns to achieve their strategic goals and collect intelligence, strengthening proactive cyber defense measures is imperative for organizations worldwide. With TAG-110 likely to maintain its cyber-espionage operations against post-Soviet Central Asian nations, Ukraine, and its allies, progressive organizations are seeking future-proof solutions to proactively defend against TAG-110 cyber-attacks.
To help safeguard organizations across multiple industry verticals from APT attacks and critical threats of any sophistication, SOC Prime curates a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection acting as a cutting-edge enterprise-ready solution for strengthening defenses at scale. SOC Prime also curates a Fast Start Threat Hunting and Detection Engineering limited-time offer tailored for MSSP/MDR organizations and enterprises.
