Description
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.(Citation: DomainTools WinterVivern 2021)(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023)(Citation: ESET WinterVivern 2023)(Citation: Proofpoint WinterVivern 2023)
Techniques Used (TTPs)
- T1059 — Command and Scripting Interpreter (execution)
- T1071.001 — Web Protocols (command-and-control)
- T1056.003 — Web Portal Capture (collection, credential-access)
- T1033 — System Owner/User Discovery (discovery)
- T1583.003 — Virtual Private Server (resource-development)
- T1059.007 — JavaScript (execution)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1036.004 — Masquerade Task or Service (defense-evasion)
- T1113 — Screen Capture (collection)
- T1189 — Drive-by Compromise (initial-access)
- T1119 — Automated Collection (collection)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
- T1020 — Automated Exfiltration (exfiltration)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1595.002 — Vulnerability Scanning (reconnaissance)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1584.006 — Web Services (resource-development)
- T1036 — Masquerading (defense-evasion)
- T1583.001 — Domains (resource-development)
- T1082 — System Information Discovery (discovery)
- T1059.003 — Windows Command Shell (execution)
- T1204.001 — Malicious Link (execution)
- T1083 — File and Directory Discovery (discovery)
- T1114.001 — Local Email Collection (collection)
- T1059.001 — PowerShell (execution)
Total TTPs: 27