Bloody Wolf strikes organizations in Kazakhstan with STRRAT commercial malware
Since late 2023, BI.ZONE Threat Intelligence experts have been tracking the activity of Bloody Wolf. The cluster attacks organizations in Kazakhstan with STRRAT, a commercial malware also known as Strigoi Master. The attackers send out phishing emails on behalf of the country's regulatory agencies. The emails have PDF attachments with download links for the malware and for a Java interpreter installation guide (the program supports malware operation).
- The adversaries continue to experiment with commercial malware to advance attacks on a variety of organizations.
- Using less common file types such as JAR enables the attackers to bypass defenses.
- Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions.
The victim receives a phishing email with a PDF attachment posing as a non-compliance notice and containing links to malicious JAR files.
The document also provides two links to an installation guide for the Java interpreter required for the malware to function.
It is noteworthy that the second link redirects to a legitimate government website that encourages visitors to install Java for the correct operation of a government portal.
The malicious files are hosted on a phishing resource mimicking the website of a Kazakhstan government agency. The files are the samples of STRRAT malware that could earlier be purchased on underground resources for $80.
Once launched, the STRRAT sample downloads the dependencies, including system-hook keylogger libraries that are publicly accessible on GitHub.
The malware copies its own file to C:\Users\[user]\AppData\Roaming
.
If the respective command line arguments are available, the program creates a file to identify the port to connect to. The file would be placed in the directory C:\Users\[user]\
as [port]lock.file
. In case the argument has not been passed, the information is retrieved from the configuration located at resources\config.txt
. In the case being reviewed, the port number is 15270.
If the configuration has the required option, a task is created in the scheduler to run every 30 minutes. The task is named to look legitimate and resemble the Skype application.
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\1CUpdaterKZ.jar"
If the configuration has the required option, a parameter for achieving persistence is created in the register key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
.
If the configuration has the required option, a copy of the malicious file is created in the startup directory, for example C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1CUpdaterKZ.jar
.
Running the file from the new location initializes a connection to the C2 server, in particular https://pastebin[.]com/raw/dFKy3ZDm:13570
and https://pastebin[.]com/raw/dLzt4tRB:13569
.
The malware collects information about the system, including the device name and supported languages by addressing the registry keys HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME
and HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS
, respectively.
Besides, the malware sends WMI queries with the command wmic.exe
to retrieve data about disks, architecture, operating system version, and antivirus software:
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
STRRAT can process a range of commands from the C2 server, namely:
- Reboot the system with
exe /c shutdown /r /t 0
. - Shut down the system with
exe /c shutdown /s /t 0
. - Remove malware components from the compromised system.
- Download and execute additional files from the specified network locations.
- Download and execute files from the C2 server. The malware can run Visual Basic, JavaScript, and WSF files with the command
wscript [downloaded file name]
, compiled Java files withexe -jar [downloaded file name]
, and common executables withcmd.exe /c [downloaded file name]
. - Run commands interactively at the Windows command line.
- Run commands interactively through the PowerShell interpreter.
- Manage remotely the files in the compromised system with
exe /c [file path]
and other commands. - Intercept keystrokes using the system-hook library.
- Retrieve a list of running processes with the command
exe /c wmic /node:. /namespace:’\\root\cimv2’ path win32_process get name,processed,commandline /format:list
. - Manage the list of startup programs. The current list of startup programs can be retrieved using the command
exe /c wmic /node:. /namespace:’\\root\cimv2′ path win32_startupcommand get name,location /format:list
. - Control the victim’s browser remotely:
- Start either browser present in the system (Chrome, Firefox):
chrome.exe —new-window data:text/html,<title>Strigoi Browser</title> —mute-audio —disable-audio —window-position=[screen width — 5],[screen height — 100]
firefox.exe -new-window data:text/html,<title>Strigoi Browser</title> - Hide the window with
ShowWindow([hwnd], 0)
. - Set the window as a floating toolbar (the window won’t be displayed on the taskbar) with
SetWindowLong([hwnd], −20, 128)
. - Unhide the window.
- Transmit the browser page image to the C2 server.
- Emulate mouse and keystrokes in the created browser window.
- Start either browser present in the system (Chrome, Firefox):
- Move the window to the coordinates 10,000, 10,000.
- Control remotely the target device’s screen through its own protocol that transfers the screen to the server side and the keystrokes to the victim side.
- Install a proxy for the compromised system.
- Download and run HRDP to establish a remote connection from the remote resource in the program memory. For this purpose, a new account is created with
exe /c net user [username] [password] /add
and the usernames on the authorization screen are hidden withcmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v “dontdisplaylastusername” /t REG_DWORD /d 1 /f
. The profile of the current browser is copied for the newly created account. The username is generated randomly and contains five characters. After the session terminates, the account is deleted with the sequence of commands:cmd.exe /c net user [username] /delete
cmd.exe /c wmic /node:. /namespace:’\\\\root\cimv2’ path win32_userprofile where “LocalPath=’[username]’” delete
cmd.exe /c reg add HKLM\Software\Microsoft\CurrentVersion\Policies\System /v “dontdisplaylastusername” /t REG_DWORD /d 0 /f. - Collect account data from the browsers Chrome, Firefox, Internet Explorer and the mail clients Foxmail, Outlook, Thunderbird.
- Restart the process with administrator privileges using verb runas.
- Encrypt and decrypt user files in the directories
Downloads
,Documents
, andDesktop
by applying the AES algorithm. The encrypted files receive a.crimson
extension.
e35370cb7c8691b5fdd9f57f3f462807b40b067e305ce30eabc16e0642eca06b
00172976ee3057dd6555734af28759add7daea55047eb6f627e5491701c3ec83
cb55cf3e486f3cbe3756b9b3abf1673099384a64127c99d9065aa26433281167
a6fb286732466178768b494103e59a9e143d77d49445a876ebd3a40904e2f0b0
25c622e702b68fd561db1aec392ac01742e757724dd5276b348c11b6c5e23e59
14ec3d03602467f8ad2e26eef7ce950f67826d23fedb16f30d5cf9c99dfeb058
ee113a592431014f44547b144934a470a1f7ab4abec70ba1052a4feb3d15d5c6
https://pastebin[.]com/raw/dFKy3ZDm:13570
https://pastebin[.]com/raw/dLzt4tRB:13569
https://pastebin[.]com/raw/dLzt4tRB:10101
https://pastebin[.]com/raw/YZLySxsv:20202
https://pastebin[.]com/raw/8umPhg86:13772
https://pastebin[.]com/raw/67b8GSUQ:13671
https://pastebin[.]com/raw/8umPhg86:13771
https://pastebin[.]com/raw/67b8GSUQ:13672
https://pastebin[.]com/raw/dLzt4tRB:13880
https://pastebin[.]com/raw/YZLySxsv:13881
91.92.240[.]188
185.196.10[.]116
Tactic | Technique | Procedure |
---|---|---|
Initial Access |
Phishing: Spearphishing Attachment |
Uses phishing emails with malicious attachments to deliver the malware |
Phishing: Spearphishing Link |
Uses links in the attached documents to deliver STRRAT |
|
Execution |
Command and Scripting Interpreter: Windows Command Shell |
Uses the Windows command line to run commands and scripts |
Command and Scripting Interpreter: Visual Basic |
Runs Visual Basic scripts with |
|
Command and Scripting Interpreter: JavaScript |
Downloads and runs JavaScript code with |
|
User Execution: Malicious File |
Prompts the victim to install Java and run the malicious JAR file to initiate the compromise process |
|
Persistence |
Scheduled Task/Job: Scheduled Task |
Creates tasks in the scheduler to gain a foothold in the compromised system |
Create Account: Local Account |
Creates new accounts |
|
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Modifies the Run registry key and copies the malware to the startup folder |
|
Privilege Escalation |
Access Token Manipulation: Create Process with Token |
Restarts the process with administrator privileges by using runas |
Defense Evasion |
Indicator Removal: File Deletion |
Deletes malware components from the compromised system |
Modify Registry |
Hides usernames on the authorization screen |
|
Hide Artifacts: Hidden Window |
Uses HRDP to authorize in the compromised system |
|
Credential Access |
Input Capture: Keylogging |
Intercepts keystrokes |
Credentials from Password Stores: Credentials from Web Browsers |
Retrieves authentication data from browsers |
|
Discovery |
Process Discovery |
Collects information about the running processes |
System Information Discovery |
Collects information about the compromised system |
|
Software Discovery: Security Software Discovery |
Collects information about the antivirus software |
|
Collection |
Screen Capture |
Controls the screen of the compromised system, including passes the keystrokes |
Browser Session Hijacking |
Controls the browser in the compromised system |
|
Command and Control |
Proxy: Internal Proxy |
Installs a proxy for the compromised system |
Web Service |
Uses Pastebin to obtain the C2 server address |
|
Ingress Tool Transfer |
Downloads files from the C2 server or other network locations |
|
Impact |
Data Encrypted for Impact |
Decrypts user files in the |
System Shutdown/Reboot |
Reboots or shuts down the compromised system |
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_using_schtasks_to_create_suspicious_task
win_creation_task_that_run_file_from_suspicious_folder
win_access_to_paste_services_from_nonbrowsers
win_suspicious_security_software_discovery
win_using_standard_tool_to_create_new_user
win_possible_browser_stealer_activity
Attacks similar to those by Bloody Wolf are not only critical to detect but also to neutralize before they affect the infrastructure. To protect your company against advanced threats, we recommend implementing endpoint detection and response practices; for instance, BI.ZONE EDR. The service enables early detection of attacks and immediate incident response, either automated or manual.
To stay ahead of threat actors, you need to be aware of the methods they use when attacking various infrastructures. Understanding the real threat landscape is a massive advantage against adversity. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current attacks, threat actors, their methods and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.