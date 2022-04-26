Through continued research into the ongoing cyber activity throughout Eastern Europe, IBM Security X-Force identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman. The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecommunications, Electronic and Industrial sectors. The activity predates and is not believed to be associated with the Russian-led invasion of Ukraine.

X-Force assesses that it is possible the targeting of telecommunication providers and their industry adjacent suppliers may be intended as ultimately serving to enable illegal access to numerous distributed clients and end-users.

DarkWatchman is a malicious Remote Access Trojan (RAT) based on JavaScript, using command and control (C2) mechanisms for fileless persistence, as well as other capabilities.

The phishing activity discovered by X-Force (tracked internally as Hive0117) aligns with research published in December 2021, detailing a similar phishing campaign designed to deliver a DarkWatchman payload by imitating a Russia-based freight and logistics company.

Given the elevated levels of threat activity associated with the ongoing regional crisis, the evidence may suggest that threat actors will leverage the current climate to conduct and obfuscate further activity.