Full Report
Russian companies have been targeted as part of a large-scale phishing campaign that's designed to deliver a known malware called DarkWatchman. Targets of the attacks include entities in the media, tourism, finance and insurance, manufacturing, retail, energy, telecom, transport, and biotechnology sectors, Russian cybersecurity company F6 said. The activity is assessed to be the work of a
Analysis Summary
# Threat Actor: Hive0117
## Attribution & Identity
Attributed by IBM X-Force to financially motivated activities. No specific state sponsorship is detailed in the context provided, but activities heavily focus on Russia and neighboring states.
## Activity Summary
Hive0117 has been associated with large-scale, financially motivated phishing campaigns delivering the **DarkWatchman** malware.
* **Historical Activities:** Attacks aimed at users in Lithuania, Estonia, and Russia spanning telecom, electronic, and industrial sectors (mentioned around May 2022).
* **September 2023 Campaign:** Targeted energy, finance, transport, and software security industries in Russia, Kazakhstan, Latvia, and Estonia using DarkWatchman via phishing.
* **November 2023 Campaign:** Targeted Russian entities including banks, retailers, marketplaces, telecom operators, agro-industrial enterprises, fuel and energy companies, logistics businesses, and IT firms using DarkWatchman with courier delivery-themed lures.
* The article also discusses a separate, unidentified actor targeting Ukraine's defense sector with the **Sheriff** backdoor in early 2024, but direct attribution to Hive0117 is not made for the Sheriff incident.
## Tactics, Techniques & Procedures
**Related to DarkWatchman Malware:**
* Initial access via **phishing emails** containing password-protected malicious archives.
* Delivery of the **DarkWatchman** malware, which is described as a JavaScript-based Remote Access Trojan (RAT).
* Fileless execution capabilities.
* Use of a C# keylogger.
* Ability to collect system information.
* Capability to deploy secondary payloads.
* Self-destruction/trace removal functionality ("when instructed").
* Use of **Courier delivery-themed lures** in some campaigns.
**Related to Sheriff Malware (Potential overlap/related activity, attributed to an unspecified entity):**
* Staging malware on a trusted domain (ukr.net news portal) for enhanced obfuscation.
* Modular backdoor capabilities.
* Remote command execution.
* Data exfiltration using the Dropbox cloud storage API.
* Taking covert screenshots (15-minute intervals noted).
* "Suicide" function to cease activity and delete malware/C2 folders.
* Overlap noted with TTPs/functions found in Turla's Kazuar and Crutch, and Operation Groundbait's Prikormka/Bad Magic's CloudWizard.
## Targeting
* **Sectors (Hive0117/DarkWatchman):** Media, tourism, finance and insurance, manufacturing, retail, energy, telecom, transport, biotechnology, software security industries, Russian banks, marketplaces, telecom operators, agro-industrial enterprises, fuel and energy companies, logistics businesses, and IT firms.
* **Sectors (Unspecified Actor/Sheriff):** Ukraine's defense sector.
* **Geography (Hive0117/DarkWatchman):** Russia, Lithuania, Estonia, Latvia, and Kazakhstan.
* **Geography (Unspecified Actor/Sheriff):** Ukraine.
* **Victims (Hive0117/DarkWatchman):** Generally focused on organizations within the specified sectors in the targeted countries.
## Tools & Infrastructure
* **Malware families used:** DarkWatchman (JavaScript RAT, C# keylogger), Sheriff (Modular Backdoor).
* **Infrastructure (Sheriff related):** Use of the popular Ukrainian news portal **ukr.net** to stage the Sheriff backdoor. Exfiltration via the **Dropbox cloud storage API**.
## Implications
Hive0117 appears to be a sophisticated, financially motivated actor capable of sustained, high-volume phishing campaigns across critical infrastructure sectors in Russia and neighboring countries. The use of fileless techniques and improved detection evasion methods in DarkWatchman suggests continuous development. The separate targeting of Ukraine's defense sector using supply chain methods (compromising a trusted news portal) suggests a current operational focus that may blend financial and potentially espionage objectives related to the regional conflict.
## Mitigations
* Strengthen email protection against password-protected archives and suspicious attachments commonly used in phishing.
* Implement advanced endpoint detection and response (EDR) capable of detecting fileless malware execution, particularly JavaScript-based threats.
* Monitor for unusual system information collection or keylogging activity.
* Review and restrict egress traffic to unknown cloud storage APIs (like Dropbox) for command and control or exfiltration if not strictly required for business operations.
* For organizations in Ukraine, be aware of sophisticated supply chain compromise attempts, including the staging of malware on highly trusted local web portals.