Winter Vivern
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| UAC-0114 | (Citation: CERT-UA WinterVivern 2023) |
| TA473 | (Citation: Proofpoint WinterVivern 2023) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Winter Vivern registered domains mimicking other entities throughout various campaigns.(Citation: DomainTools WinterVivern 2021) |
| .003 | Acquire Infrastructure: Virtual Private Server |
Winter Vivern used adversary-owned and -controlled servers to host web vulnerability scanning applications.(Citation: SentinelOne WinterVivern 2023) |
||
| Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
Winter Vivern has used remotely-hosted instances of the Acunetix vulnerability scanner.(Citation: SentinelOne WinterVivern 2023) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Winter Vivern uses HTTP and HTTPS protocols for exfiltration and command and control activity.(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Winter Vivern passed execution from document macros to PowerShell scripts during initial access operations.(Citation: DomainTools WinterVivern 2021) Winter Vivern used batch scripts that called PowerShell commands as part of initial access and installation operations.(Citation: CERT-UA WinterVivern 2023) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Winter Vivern distributed Windows batch scripts disguised as virus scanners to prompt download of malicious payloads using built-in system tools.(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023) |
||
| .007 | Command and Scripting Interpreter: JavaScript |
Winter Vivern delivered malicious JavaScript to exploit targets when exploiting Roundcube Webmail servers.(Citation: ESET WinterVivern 2023) |
||
| Enterprise | T1584 | .006 | Compromise Infrastructure: Web Services |
Winter Vivern has used compromised WordPress sites to host malicious payloads for download.(Citation: SentinelOne WinterVivern 2023) |
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Winter Vivern delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited email servers.(Citation: ESET WinterVivern 2023) |
| Enterprise | T1056 | .003 | Input Capture: Web Portal Capture |
Winter Vivern registered and hosted domains to allow for creation of web pages mimicking legitimate government email logon sites to collect logon information.(Citation: SentinelOne WinterVivern 2023) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Winter Vivern has distributed malicious scripts and executables mimicking virus scanners.(Citation: SentinelOne WinterVivern 2023) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Winter Vivern leverages malicious attachments delivered via email for initial access activity.(Citation: DomainTools WinterVivern 2021)(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Winter Vivern executed PowerShell scripts that would subsequently attempt to establish persistence by creating scheduled tasks objects to periodically retrieve and execute remotely-hosted payloads.(Citation: DomainTools WinterVivern 2021) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Winter Vivern has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.