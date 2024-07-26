Throughout early 2024, X-Force recorded several Hive0137 campaigns using new payloads and crypters. Hive0137 emails are composed primarily in English and use a variety of themes including reimbursement requests, invoices, project budget reviews, report analyses and meeting presentations.

Beginning in mid-February 2024, X-Force observed Hive0137 experimenting with new attachment types, demonstrating at least a temporary shift away from previously preferred methods including PDFs delivering malicious URLs. The campaigns leveraged Excel attachments containing a malicious URL in the form of a UNC file path e.g. \\147.182.156[.]154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs, which when clicked, downloads the next stage; typically a VBS or JavaScript file. Then, the file will download and execute a final DarkGate payload.

Of particular interest, the change of techniques was observed in parallel Hive0118 (aka TA577) campaigns. Hive0118 is an email distributor that frequently provides initial access for ransomware attacks conducted by threat actors with ties to the Trickbot/Conti syndicate (ITG23). This group uses thread hijacking/stolen emails and targets entities globally in widespread campaigns. In the observed case the group distributed Dave-crypted PikaBot samples. In previous campaigns, Hive0118 delivered malware including DarkGate, Qakbot and IcedID using various ITG23-related crypters such as Forest, Snow and Quicksand.

In late March 2024, Hive0137 also distributed Dave-crypted Pikabot payloads. These were delivered through malicious HTML files leveraging the “search-ms” protocol to stage payloads from remote SMB shares. The delivery of Pikabot reinforces X-Force’s assessment that Hive0137 campaigns are used for initial access leading to ransomware attacks. The Pikabot loader, which has been active since early 2023, shares several similarities with Qakbot and has been delivered frequently by Hive0118, particularly in late 2023 following Qakbot’s disruption. Like Qakbot, Pikabot infections have typically led to BlackBasta ransomware.