TAG-110, a threat group affiliated with Russia, is conducting an ongoing cyber-espionage effort targeting Central Asia, East Asia, and European organizations.
The group mainly targets government agencies, human rights organizations, and educational institutions with custom malware, such as HATVIBE and CHERRYSPY.
Further, the activities of TAG-110 most likely form a part of a larger Russian strategy to maintain influence in post-Soviet states and obtain intelligence on geopolitical developments
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
According to Recorded Future’s Insikt Group, as of July 2024, 62 victims have been identified in 11 nations, with noteworthy events in Kyrgyzstan, Uzbekistan, and Kazakhstan.
Overview Of The TAG-110 Threat Group
TAG-110 is a threat activity group that shares similarities with the publicly known group UAC-0063, which CERT-UA has connected to BlueDelta (APT28) with “medium confidence.” Since at least 2021, TAG-110 has conducted espionage operations in line with Russian state interests.
According to earlier sources, TAG-110 mostly targets organizations in Central Asia, with additional targets situated in Israel, Ukraine, and Mongolia.
TAG-110 has been using custom malware families, like HATVIBE and CHERRYSPY and, to target people.Researchers say that the TAG-110 threat group has similarities with UAC-0063. It is linked to the Russian APT group BlueDelta (APT28) with medium confidence.
HATVIBE
TAG-110 has been using HATVIBE, a customized HTML Application (HTA) loader, since at least April 2023. The main purpose of HATVIBE is to load more malware, like the CHERRYSPY backdoor.
It is distributed through malicious email attachments or by taking advantage of web-facing vulnerabilities such as CVE-2024-23692.
The mshta.exe utility is used to carry out scheduled operations that give it persistence. The obfuscation methods used by HATVIBE include XOR encryption and VBScript encoding.
After deployment, it uses HTTP PUT requests to communicate with command-and-control (C2) servers, giving vital system information.
CHERRYSPY
Since at least April 2023, the TAG-110 has been using the customized Python backdoor CHERRYSPY for espionage purposes.
It has been discovered that HATVIBE downloads CHERRYSPY and launches it using a Python interpreter. It communicates with its C2 servers using strong encryption techniques like RSA and Advanced Encryption Standard (AES).
TAG-110, which frequently targets governmental and research organizations, employs CHERRYSPY to monitor victims’ systems and retrieve private data.
- To find malicious domains and IPs connected to TAG-110, use network defense tools, intrusion detection systems, and intrusion prevention systems.
- Use the rules of Snort, Suricata, and YARA to detect activity linked to HATVIBE and CHERRYSPY.
- To avoid known vulnerabilities like CVE-2024-23692 from being exploited, make sure software updates are performed on time.
- Educate employees ways to spot phishing attempts and implement multi-factor authentication.
Indicators of Compromise
C2 Domains:
enrollmentdm[.]com
errorreporting[.]net
experience-improvement[.]com
game-wins[.]com
internalsecurity[.]us
lanmangraphics[.]com
retaildemo[.]info
shared-rss[.]info
telemetry-network[.]com
tieringservice[.]com
trust-certificate[.]netC2 IP Addresses:
5.45.70[.]178
45.136.198[.]18
45.136.198[.]184
45.136.198[.]189
46.183.219[.]228
84.32.188[.]23
185.62.56[.]47
185.158.248[.]198
185.167.63[.]42
194.31.55[.]131
212.224.86[.]69
Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free