Security News > 2023 > March > Winter Vivern APT hackers use fake antivirus scans to install malware
Sentinel Labs has previously seen spreadsheet files with malicious macros that launch PowerShell being dropped on cloned sites used by the APT. Deploying fake virus scanners.
One example of Winter Vivern's resourcefulness in the Sentinel Labs report is the use of Windows batch files to impersonate antivirus scanners while, in reality, downloading malicious payloads.
As you can see from the batch files below, the malicious files will pretend to perform an antivirus scan, showing a running percentage of time left, while quietly downloading a malicious payload using PowerShell.
The malware is hosted on compromised WordPress websites, which are commonly used for malware distribution campaigns.
The Aperetif malware is capable of automatic file scanning and exfiltration, taking screenshots and sending all data in a base64-encoded form to a hardcoded command and control server URL. Sentinel Labs has recently spotted a new payload used by Winter Vivern, which appears to be similar in functionality to Aperefit, but it features an incomplete design, indicating that it's a work in progress.
In conclusion, Winter Vivern is a group that uses a relatively simplistic yet effective approach to lure its targets into downloading malicious files.
News URL
Related news
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- Unpatched Mazda Connect bugs let hackers install persistent malware (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)