Cloud Werewolf spearphishes for government employees in Russia and Belarus with fake spa vouchers and federal decrees
The BI.ZONE Threat Intelligence team has revealed another campaign by Cloud Werewolf aiming at Russian and Belarusian government organizations. According to the researchers, the group ran at least five attacks in February and March. The adversaries continue to rely on phishing emails with Microsoft Office attachments. Placing malicious content on a remote server and limiting the number of downloads enables the attackers to bypass defenses.
- Cloud Werewolf leverages topics that appeal to its targets to increase the likelihood that the malicious attachments get opened.
- The IT infrastructure of government organizations provides ample opportunities for adversaries to exploit even the old vulnerabilities. This is just another reminder of how crucial it is to proactively remediate vulnerabilities, especially those used in real attacks.
- Placing the malicious payload on a remote server rather than inside of an attachment increases the chances to bypass the defenses.
Cloud Werewolf uses Microsoft Office documents with information targeting employees of government organizations. For instance, the file titled Путевки на лечение 2024.doc contains information on spa vouchers.
Excerpt from Путевки на лечение 2024.doc
Another document is a federal agency decree titled Приказ [redacted] № ВБ‑52фс.doc.
![Excerpt from Приказ [redacted] № ВБ-52фс.doc](/upload/pic/Cloud-Werewolf-02-screen.png)
Excerpt from Приказ [redacted] № ВБ‑52фс.doc
Yet another document Инженерная записка.doc lists the requirements to an engineering memo for public works.
Excerpt from Инженерная записка.doc
Opening the attachment triggers the transfer of a document template from a remote source, such as https://triger-working[.]com/en/about-us/unshelling. The template is an RTF file that enables the attackers to exploit the CVE‑2017‑11882 vulnerability.
The successful exploitation and the execution of the shell code allow the adversaries to do the following:
- decrypt the malicious payload within the shell code with the help of a 2‑byte key XOR operation
- download an HTA file with a VBScript from a remote server and open the file
The script triggers actions that:
- reduce the size of the window and move it outside the screen boundaries
- retrieve the path to the
AppData\Roamingfolder by means of obtaining the value of theAPPDATAparameter of theHKCU\Volatile Environmentregistry key - create the
rationalistic.xmlfile and write the following files to its alternate data streams:rationalistic.xml:rationalistic.hxn, the file with malicious payload for connecting to the C2 serverrationalistic.xml:rationalistic.vbs, one of the files responsible for decrypting and executing the malicious payloadrationalistic.xml:rationalisticing.vbs, another file responsible for decrypting and executing the malicious payloadrationalistic.xml:rationalisticinit.vbs, the file responsible for purging all the files in the folderC:\Users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\and inrationalistic.xml:rationalisticinit.vbsandrationalistic.xml:rationalisticing.vbsby opening the files in write mode.
- enable the autorun of
rationalistic.xml:rationalistic.vbsby creating thedefragsvcparameter with the valuewscript /B “[path to the file rationalistic.xml:rationalistic.vbs]”in the registry keyHKCU\Software\Microsoft\Windows\CurrentVersion\Run - run
rationalistic.xml:rationalisticing.vbsandrationalistic.xml:rationalisticinit.vbswith the help of the commandwscript /B “[path to the file]”
By decrypting the malicious payload the adversaries can:
- obtain an object of interaction with network resources by accessing the registry hive
CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}\ProgID - use the proxy server whose address was retrieved from
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings - verify the presence of the
defragsvcparameter inHKCU\Software\Microsoft\Windows\CurrentVersion\Runand create it if missing - stay connected to the server in an infinite loop
To obtain additional VBS files from the C2 server, the attackers send a GET request to the server’s address (e.g., https://web-telegrama[.]org/podcast/accademia-solferino/backtracker) with the header User‑Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) [domain name] Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0"=" Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0. The device’s domain is retrieved from the USERDOMAIN parameter of the HKCU\Volatile Environment registry key. Files under 1 MB are executed in the program memory, otherwise saved to the file rationalistic.xml:rationalisticinit.vbs and launched with the help of wscript /B “[path to the file rationalistic.xml:rationalisticinit.vbs]”. If executed from rationalistic.xml:rationalisticing.vbs, the name will be rationalistic.xml:rationalisticinginit.vbs. After execution, the file is purged by being opened in write mode.
If rationalistic.xml:rationalistic.tmp (or rationalistic.xml:rationalisticing.tmp, depending on the active file) is available, the specified file is sent to the C2 server through a POST request. After sending, the file is purged by being opened in write mode.
- The cluster has been active since at least 2014 and also known as Inception and Cloud Atlas.
- Cloud Werewolf is a state‑sponsored threat actor focused on spying.
- Attacks mostly government, industrial, and research organizations in Russia and Belarus.
- At the post‑exploitation stage, Cloud Werewolf can employ unique tools, such as PowerShower and VBShower, as well as Python scripts.
- Uses LaZagne to receive authentication data.
- Uses Advanced IP Scanner to gather information about remote systems.
- Uses AnyDesk as a backup channel to access compromised IT infrastructures.
- Uses RDP and SSH to advance in compromised IT infrastructures.
- Uses 7‑Zip to archive the files retrieved from the compromised systems.
- Deletes C2 server communication entries (e.g., from proxy server logs).
5af1214fc0ca056e266b2d093099a3562741122f32303d3be7105ce0c2183821b4c0902a9fb29993bc7573d6e84547d0393c07e011f7b633f6ea3a67b96c65779d98bd1f1cf6442a21b6983c5c91c0c14cd98ed9029f224bdbc8fdf87c003a4bserverop-parametrs[.]comtriger-working[.]comweb-telegrama[.]org
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access |
Phishing: Spearphishing Attachment |
Uses phishing emails with malicious attachments |
| Execution |
Inter-Process Communication: Component Object Model |
Uses COM components in VBScripts |
|
Exploitation for Client Execution |
Employs CVE-2017-11882 to execute shell code |
|
|
User Execution: Malicious File |
Prompts the victim to open the malicious file to initiate the compromise process |
|
|
Command and Scripting Interpreter: Visual Basic |
Leverages VBScripts for various purposes |
|
|
Windows Management Instrumentation |
Uses Windows Management Instrumentation |
|
| Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Modifies the Run registry key to gain a foothold in the compromised system |
| Defense Evasion |
Obfuscated Files or Information |
Applies XOR encryption to obfuscate script code, shell code, and malicious payload |
|
Deobfuscate/Decode Files or Information |
Uses XOR to decode shell code and malicious payload |
|
|
Indicator Removal: File Deletion |
Purges files by opening them in write mode |
|
|
Hide Artifacts: NTFS File Attributes |
Uses NTFS alternate data streams |
|
|
Template Injection |
Downloads templates from a remote server |
|
|
System Binary Proxy Execution: Mshta |
Uses mshta to run malicious HTA files |
|
| Discovery |
System Information Discovery |
Obtains information about the victim’s domain |
| Command and Control |
Application Layer Protocol: Web Protocols |
Uses HTTPS to communicate with the servers |
|
Proxy: Internal Proxy |
May use a proxy server |
|
|
Ingress Tool Transfer |
Delivers tools to the compromised system |
More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.
Cloud Werewolf’s methods of gaining persistence on endpoints are hard to detect with preventive security solutions. Therefore we recommend that companies enhance their cybersecurity with endpoint detection and response practices, for instance, with the help of BI.ZONE EDR.
To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.