The risk actor referred to as Paper Werewolf has been noticed solely concentrating on Russian entities with a brand new implant referred to as PowerModul.
The exercise, which happened between July and December 2024, singled out organizations within the mass media, telecommunications, development, authorities entities, and power sectors, Kaspersky mentioned in a brand new report revealed Thursday.
Paper Werewolf, also called GOFFEE, is assessed to have performed at the least seven campaigns since 2022, in response to BI.ZONE, with the assaults primarily geared toward authorities, power, monetary, media, and different organizations.
Assault chains mounted by the risk actor have additionally been noticed incorporating a disruptive part, whereby the intrusions transcend distributing malware for espionage functions to additionally change passwords belonging to worker accounts.
The assaults themselves are initiated by way of phishing emails that comprise a macro-laced lure doc, which, upon opening and enabling macros, paves the best way for the deployment of a PowerShell-based distant entry trojan referred to as PowerRAT.
The malware is designed to ship a next-stage payload, usually a customized model of the Mythic framework agent referred to as PowerTaskel and QwakMyAgent. One other software within the risk actor’s arsenal is a malicious IIS module referred to as Owowa, which is used for retrieving Microsoft Outlook credentials entered by customers on the internet consumer.
The newest set of assaults documented by Kaspersky begins with a malicious RAR archive attachment containing an executable that masquerades as a PDF or a Phrase doc utilizing a double extension (i.e., *.pdf.exe or *.doc.exe). When the executable is launched, the decoy file is downloaded from a distant server and proven to the consumer, whereas the an infection proceeds to the following stage within the background.
“The file itself is a Home windows system file (explorer.exe or xpsrchvw.exe), with a part of its code patched with a malicious shellcode,” it mentioned. “The shellcode is just like what we noticed in earlier assaults, however as well as incorporates an obfuscated Mythic agent, which instantly begins speaking with the command-and-control (C2) server.”
The alternate assault sequence is much more elaborate, utilizing a RAR archive embedding a Microsoft Workplace doc with a macro that acts as a dropper to deploy and launch PowerModul, a PowerShell script able to receiving and executing extra PowerShell scripts from the C2 server.
The backdoor is alleged to have been used for the reason that begin of 2024, with the risk actors initially utilizing it to obtain and execute PowerTaskel on compromised hosts. A few of the different payloads dropped by PowerModul are listed under –
- FlashFileGrabber, which is used to steal recordsdata from detachable media, corresponding to flash drives, and exfiltrate them to the C2 server
- FlashFileGrabberOffline, a variant of FlashFileGrabber that searches detachable media for recordsdata with particular extensions, and when discovered, copies them to the native disk inside the “%TEMPpercentCacheStoreconnect” folder
- USB Worm, which is able to infecting detachable media with a replica of PowerModul
PowerTaskel is functionally just like PowerModul in that it is also designed to run PowerShell scripts despatched by the C2 server. However as well as, it might probably ship details about the focused atmosphere within the type of a “checkin” message, in addition to execute different instructions obtained from the C2 server as duties. It is also outfitted to escalate privileges utilizing the PsExec utility.
In at the least one occasion, PowerTaskel has been discovered to obtain a script with a FolderFileGrabber part that, moreover replicating the options of FlashFileGrabber, contains the flexibility to assemble recordsdata from distant methods by way of a hardcoded community path utilizing the SMB protocol.
“For the primary time, they employed Phrase paperwork with malicious VBA scripts for preliminary an infection,” Kaspersky mentioned. “Lately, we now have noticed that GOFFEE is more and more abandoning using PowerTaskel in favor of the binary Mythic agent throughout lateral motion.”
The event comes as BI.ZONE attributed one other risk group referred to as Sapphire Werewolf to a phishing marketing campaign that distributes an up to date model of Amethyst, an offshoot of the open-source SapphireStealer.
The stealer retrieves “credentials from Telegram and numerous browsers, together with Chrome, Opera, Yandex, Courageous, Orbitum, Atom, Kometa, and Edge Chromium, in addition to FileZilla and SSH configuration recordsdata,” the Russian firm mentioned, including it might probably additionally seize paperwork, together with these saved on detachable media.
