1. Home
  2. Groups
  3. Winter Vivern

Winter Vivern

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.[1][2][3][4][5]

ID: G1035
Associated Groups: TA473, UAC-0114
Contributors: Onur Atali
Version: 1.0
Created: 29 July 2024
Last Modified: 10 October 2024
Version Permalink

Associated Group Descriptions

Name Description
TA473

[5]
UAC-0114

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Winter Vivern registered domains mimicking other entities throughout various campaigns.[1]
.003 Acquire Infrastructure: Virtual Private Server

Winter Vivern used adversary-owned and -controlled servers to host web vulnerability scanning applications.[2]
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Winter Vivern has used remotely-hosted instances of the Acunetix vulnerability scanner.[2]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Winter Vivern uses HTTP and HTTPS protocols for exfiltration and command and control activity.[2][3]
Enterprise T1119 Automated Collection

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.[3]
Enterprise T1020 Automated Exfiltration

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.[3]
Enterprise T1059 Command and Scripting Interpreter

Winter Vivern used XLM 4.0 macros for initial code execution for malicious document files.[1]
.001 PowerShell

Winter Vivern passed execution from document macros to PowerShell scripts during initial access operations.[1] Winter Vivern used batch scripts that called PowerShell commands as part of initial access and installation operations.[3]
.003 Windows Command Shell

Winter Vivern distributed Windows batch scripts disguised as virus scanners to prompt download of malicious payloads using built-in system tools.[2][3]
.007 JavaScript

Winter Vivern delivered malicious JavaScript to exploit targets when exploiting Roundcube Webmail servers.[4]
Enterprise T1584 .006 Compromise Infrastructure: Web Services

Winter Vivern has used compromised WordPress sites to host malicious payloads for download.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

Winter Vivern delivered exploit payloads via base64-encoded payloads in malicious email messages.[4]
Enterprise T1189 Drive-by Compromise

Winter Vivern created dedicated web pages mimicking legitimate government websites to deliver malicious fake anti-virus software.[3]
Enterprise T1114 .001 Email Collection: Local Email Collection

Winter Vivern delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited email servers.[4]
Enterprise T1041 Exfiltration Over C2 Channel

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.[3]
Enterprise T1190 Exploit Public-Facing Application

Winter Vivern has exploited known and zero-day vulnerabilities in software usch as Roundcube Webmail servers and the "Follina" vulnerability.[4][5]
Enterprise T1083 File and Directory Discovery

Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers.[4]
Enterprise T1105 Ingress Tool Transfer

Winter Vivern executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads.[1]
Enterprise T1056 .003 Input Capture: Web Portal Capture

Winter Vivern registered and hosted domains to allow for creation of web pages mimicking legitimate government email logon sites to collect logon information.[2]
Enterprise T1036 Masquerading

Winter Vivern created specially-crafted documents mimicking legitimate government or similar documents during phishing campaigns.[2]
.004 Masquerade Task or Service

Winter Vivern has distributed malicious scripts and executables mimicking virus scanners.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Winter Vivern leverages malicious attachments delivered via email for initial access activity.[1][2][3]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Winter Vivern executed PowerShell scripts that would subsequently attempt to establish persistence by creating scheduled tasks objects to periodically retrieve and execute remotely-hosted payloads.[1]
Enterprise T1113 Screen Capture

Winter Vivern delivered PowerShell scripts capable of taking screenshots of victim machines.[3]
Enterprise T1082 System Information Discovery

Winter Vivern script execution includes basic victim information gathering steps which are then transmitted to command and control servers.[1]
Enterprise T1033 System Owner/User Discovery

Winter Vivern PowerShell scripts execute whoami to identify the executing user.[2]
Enterprise T1204 .001 User Execution: Malicious Link

Winter Vivern has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.[2][3]

References

  1. Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024.
  2. Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
  3. CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
  1. Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.
  2. Michael Raggi & The Proofpoint Threat Research Team. (2023, March 30). Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe. Retrieved July 29, 2024.