Introduction
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control. DomainTools WinterVivern 2021 SentinelOne WinterVivern 2023 CERT-UA WinterVivern 2023 ESET WinterVivern 2023 Proofpoint WinterVivern 2023
Activities and Tactics
Country of Origin: 🇷🇺 Russia
Suspected Victims: Germany
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1059 Command and Scripting Interpreter
- T1071.001 Web Protocols
- T1056.003 Web Portal Capture
- T1033 System Owner/User Discovery
- T1583.003 Virtual Private Server
- T1059.007 JavaScript
- T1566.001 Spearphishing Attachment
- T1036.004 Masquerade Task or Service
- T1113 Screen Capture
- T1189 Drive-by Compromise
- T1119 Automated Collection
- T1140 Deobfuscate/Decode Files or Information
- T1020 Automated Exfiltration
- T1105 Ingress Tool Transfer
- T1190 Exploit Public-Facing Application
- T1595.002 Vulnerability Scanning
- T1041 Exfiltration Over C2 Channel
- T1053.005 Scheduled Task
- T1584.006 Web Services
- T1036 Masquerading
- T1583.001 Domains
- T1082 System Information Discovery
- T1059.003 Windows Command Shell
- T1204.001 Malicious Link
- T1083 File and Directory Discovery
- T1114.001 Local Email Collection
- T1059.001 PowerShell
ATT&CK technique IDs (denormalized)
- T1020
- T1033
- T1036
- T1036.004
- T1041
- T1053.005
- T1056.003
- T1059
- T1059.001
- T1059.003
- T1059.007
- T1071.001
- T1082
- T1083
- T1105
- T1113
- T1114.001
- T1119
- T1140
- T1189
- T1190
- T1204.001
- T1566.001
- T1583.001
- T1583.003
- T1584.006
- T1595.002
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- PowerDuke
- POWERSTATS
- Power Loader
- POWERSOURCE
- CyberGate
- Cyber Eye RAT
- PowerRAT
- APERETIF:
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
[1] mitre-attack [4] CERT-UA WinterVivern 2023 CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024. [5] DomainTools WinterVivern 2021 Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024. [6] ESET WinterVivern 2023 Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024. [7] Proofpoint WinterVivern 2023 Michael Raggi & The Proofpoint Threat Research Team. (2023, March 30). Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe. Retrieved July 29, 2024. [8] SentinelOne WinterVivern 2023 Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.