Fluffy Wolf sends out reconciliation reports to sneak into corporate infrastructures
The BI.ZONE Threat Intelligence team has detected a previously unknown cluster, dubbed Fluffy Wolf, whose activity can be traced back to 2022. The group uses phishing emails with password‑protected archive attachments. The archives contain executable files disguised as reconciliation reports. They are used to deliver various tools to a compromised system, such as Remote Utilities (legitimate software), Meta Stealer, WarZone RAT, or XMRig miner.
- Phishing emails remain an effective method of intrusion: at least 5% of corporate employees download and open hostile attachments.
- Threat actors continue to experiment with legitimate remote access software to enhance their arsenal with new tools.
- Malware‑as‑a‑service programs and their cracked versions are expanding the threat landscape in Russia and other CIS countries. They also enable attackers with mediocre technical skills to advance attacks successfully.
One of the latest campaigns began with the attackers sending out phishing emails, pretending to be a construction firm (fig. 1). The message titled Reports to sign had an archive with the password included in the file name.
Fig. 1. Phishing email
The archive contained a file Akt_Sverka_1C_Doc_28112023_PDF.com (a reconciliation report) that downloaded and installed Remote Utilities (a remote access tool) and launched Meta Stealer.
When executed, the malicious file performed the following actions:
- replicated itself in the directory
C:\Users\[user]\AppData\Roaming, for example, asZnruogca.exe(specified in the configuration) - created a
Znruogcaregistry key with the value equal to the replicated file path, in the registry sectionHKCU\Software\Microsoft\Windows\CurrentVersion\Runto run the malware after system reboot - launched the Remote Utilities loader that delivers the payload from the C2 server
- started a copy of the active process and injected Meta Stealer’s payload into it
The Remote Utilities installer is an NSIS (Nullsoft Scriptable Install System) that copies program modules to C:\ProgramData\TouchSupport\Bin and runs the Remote Utilities executable—wuapihost.exe.
Remote Utilities is a legitimate remote access tool that enables a threat actor to gain complete control over a compromised device. Thus, they can track the user’s actions, transmit files, run commands, interact with the task scheduler, etc. (fig. 2).
Fig. 2. Remote Utilities official website
Meta Stealer is a clone of the popular RedLine stealer which is frequently used in attacks against organizations in Russia and other CIS countries. Among others, this stealer was employed by the Sticky Wolf cluster.
The stealer can be purchased on underground forums and the official Telegram channel (fig. 3)
Fig. 3. Message in the Telegram channel
A monthly subscription for the malware may cost as little as 150 dollars while a lifetime license can be purchased for 1,000 dollars. It is noteworthy that Meta Stealer is not banned in the CIS countries.
The stealer allows the attackers to retrieve the following information about the system:
- username
- screen resolution
- operating system version
- operating system language
- unique identifier (domain name + username + device serial number)
- time zone
- CPU (by sending a WMI request
SELECT * FROM Win32_Processor) - graphics cards (by sending a WMI request
SELECT * FROM Win32_VideoController) - browsers (by key enumeration in the register hives
SOFTWARE\WOW6432Node\Clients\StartMenuInternetandSOFTWARE\Clients\StartMenuInternet) - software (by key enumeration in the register hive
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) - security solutions (by sending WMI requests
SELECT * FROM AntivirusProduct,SELECT * FROM AntiSpyWareProductandSELECT * FROM FirewallProduct) - processes running (by sending a WMI request
SELECT * FROM Win32_Process Where SessionId=’[running process session]’) - keyboard layouts
- screenshots
Then it collects and sends the following information to the C2 server:
- files that match the mask specified in the configuration
- credentials and cookies from Chromium and Firefox‑like browsers (browser paths are specified in the configuration)
- FileZilla data
- cryptocurrency wallet data (specified in the configuration)
- data from the VPN clients installed on the compromised device (NordVPN, ProtonVPN)
We were also able to link this cluster to some previous campaigns that used different sets of tools:
- a universal loader that spreads the payloads of the Remote Utilities installer and the Meta Stealer
- an installer with the Meta Stealer payload that downloads Remote Utilities from the C2 server
- the Remote Utilities installer only, without Meta Stealer
- WarZone RAT, another malware‑as‑a‑service solution, instead of Remote Utilities
- a loader for Remote Utilities, Meta Stealer, and WarZone RAT in a single file
- a miner as an additional tool
The duration and variety of attacks conducted by clusters of activity such as Fluffy Wolf prove their effectiveness. Despite the use of fairly simple tools, the threat actors are able to achieve complex goals. This once again highlights the importance of threat intelligence. Having access to the latest data, companies can promptly detect and eliminate malicious activity at the early stages of the attack cycle.
bussines-a[.]ru3aaa68af37f9d0ba1bc4b0d505b23f10a994f7cfd9fdf6a5d294c7ef5b4c6a6a794d27b8f218473d51caa9cfdada493bc260ec8db3b95c43fb1a8ffbf4b4aaf7
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access |
Phishing: Spearphishing Attachment |
Uses phishing emails to gain initial access |
| Execution |
Windows Management Instrumentation |
Uses WMI to conduct reconnaissance about the compromised system and for other purposes |
|
Command and Scripting Interpreter: PowerShell |
Uses PowerShell to run commands and scenarios |
|
|
User Execution: Malicious File |
A victim has to open the malicious file to initiate a compromise process |
|
| Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Uses the registry section |
| Defense Evasion |
Process Injection: Process Hollowing |
Uses Process Hollowing to inject the code in the copy of its own process |
|
Obfuscated Files of Information |
Uses password-protected archives to deliver the malware to the target system |
|
|
Masquerading: Match Legitimate Name or Location |
Names the files to resemble legitimate ones |
|
| Credential Access |
Unsecured Credentials: Credentials In Files |
Retrieves authentication data saved in files |
|
Credentials from Password Stores: Credentials from Web Browsers |
Retrieves authentication data saved in browsers |
|
| Discovery |
Process Discovery |
Retrieves information about running processes |
|
System Information Discovery |
Retrieves information about the compromised system |
|
|
Software Discovery: Security Software Discovery |
Retrieves information about security solutions on the compromised system |
|
| Collection |
Data from Local System |
Collects data from the compromised system |
| Command and Control |
Application Layer Protocol: Web Protocols |
Uses |
|
Ingress Tool Transfer |
Uploads malicious files onto the compromised system |
|
|
Remote Access Software |
Uses legitimate software to gain remote access to the compromised system |
|
| Exfiltration |
Exfiltration Over C2 Channel |
Exfiltrates the collected data onto the C2 server |
| Impact |
Resource Hijacking |
Uses the resources of the compromised system for cryptocurrency mining (cryptojacking) |
More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.