Mysterious Werewolf attacks Russian industry
A while back, some international researchers reported about a new threat group that affected a number of Russian semiconductor suppliers. The report came from Cyble, headquartered in Alpharetta, Georgia with offices in Australia, Malaysia, Singapore, Dubai, Saudi Arabia, and India. The BI.ZONE Cyber Threat Intelligence team is also tracking this activity cluster dubbed as Mysterious Werewolf, and we recently uncovered another attack in the campaign, this time targeting industry facilities in Russia.
- Organizations often fail to patch their application software on time, which gives the attackers a window of opportunity to effectively exploit the neglected vulnerabilities.
- Dynamic DNS allows the attackers to have a more flexible infrastructure and avoid immediate detection and block.
- The attackers are increasingly using less popular post‑exploitation frameworks, allowing them to bypass a number of defenses more effectively.
This time, the attackers disguised themselves as the Ministry of Industry and Trade of the Russian Federation, and their phishing emails contained archives named Pismo_izveshcanie_2023_10_16.rar that exploited the CVE-2023-38831 vulnerability.
The archive contained a legitimate PDF document as well as a folder with a malicious CMD file. After opening the archive and double‑clicking the document, the exploit launched the CMD file. Accordingly, WinRAR.exe launched cmd.exe to execute the malicious CMD file.
Detection opportunity 1
In this case, WinRAR.exe launches cmd.exe to execute the malicious CMD file (C:\Users\[redacted]\AppData\Local\Temp\Rar$DIa5576.1088\Pismo_Rassylka_Ministerstva_Ministerstva_promyshlennosti.pdf .cmd). Running cmd.exe is atypical for WinRAR.exe. In addition, we can use a list of file extensions that are associated with the exploited vulnerability to make our detection method even more accurate.
We can pay attention to WinRAR.exe that runs cmd.exe to execute a file with one of the following extensions: .cmd, .pif, .com, .exe, .bat, .lnk.
The malicious CMD file runs the following PowerShell script:
powershell -nop -WindowStyle Hidden -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('[redacted]'))))
The script is obfuscated and does the following:
- downloads a benign PDF file (
Pismo_Rassylka_Ministerstva_promyshlennosti.pdf, the contents of which are shown below) fromhXXps://cloudfare[.]webredirect[.]org(Dynu dynamic DNS service) and opens it - downloads the Athena agent from
hXXps://cloudfare[.]webredirect[.]organd saves it toC:\Users\[redacted]\AppData\Local\Microsoft\Windows\Fonts\MikrosoftEdge.exe - creates a scheduled task to run the agent every 10 minutes:
schtasks /crEaTE /Sc mINUTE /mo 10 /TN “Microsoft Edge” /Tr C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Fonts\MikrosoftEdge.exe /f
Legitimate document
Detection opportunity 2
Here we have a bunch of detection opportunities. For example, the fact that PowerShell is communicating with the address of a dynamic DNS provider is suspicious.
Further, powershell.exe creates files in atypical locations, another example of suspicious behavior. You can use information about these folders to implement proactive threat hunting, such as looking for suspicious executables running from the Fonts or Ringtones folders.
To gain persistence on the compromised system, the attackers used the Windows Task Scheduler. Of course, such activity creates a lot of noise, but you can experiment with command line settings to detect anomalous activity. For example, you can focus on those that are atypical of your IT infrastructure.
And finally, the Athena agent. In this case, it uses Discord to receive commands, which means we have the ability to detect suspicious communications, such as those from discord[.]com or discordapp[.]com, that are not coming from the Discord application or browsers.
Mythic C2 is a cross-platform collaborative framework for penetration testers. It allows the operator to perform various actions in the post‑exploitation context (e.g., interact with the file system of a compromised system, download and upload files, execute commands and scripts, scan the network, etc.)
hXXps://cloudfare[.]webredirect[.]org947bf4f9b0b0ad87f8abdfdf53ae7f518560959a5168ff1893b2a63f57cc35ca85239a43c106a44aac81c772f87982848cf18bcce87b5c0b5c4f1b1ea17c8b66a4ba00adcfc3d0be2f7e78fe7712dc379b8a82b6b6fd77351c51955f82595e20
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment |
Mysterious Werewolf uses archives attached to phishing emails that exploit the CVE-2023-38831 vulnerability |
| Execution | Exploitation for Client Execution |
Mysterious Werewolf exploits the CVE-2023-38831 vulnerability in WinRAR to execute malicious code on a compromised system |
User Execution: Malicious File |
The victim needs to open the malicious file to initiate the compromise process |
|
Command and Scripting Interpreter: Windows Command Shell |
As a result of successful exploitation, the malicious CMD file is launched using the Windows command line |
|
Command and Scripting Interpreter: PowerShell |
Mysterious Werewolf uses PowerShell to download legitimate documents and the Athena agent from a remote server |
|
| Persistence | Scheduled Task/Job: Scheduled Task |
Mysterious Werewolf creates jobs in Windows Scheduler to latch on to a compromised system |
| Defense Evasion | Masquerading: Match Legitimate Name or Location |
Mysterious Werewolf uses names for malicious files that resemble legitimate files |
Obfuscated Files or Information |
Mysterious Werewolf uses Base64 to encode scripts executed in PowerShell |
|
| Command and Control | Dynamic Resolution |
Mysterious Werewolf uses dynamic DNS to upload files to a compromised system |
Ingress Tool Transfer |
Mysterious Werewolf downloads the Athena agent from a remote server |
|
Web Service: Bidirectional Communication |
Mysterious Werewolf uses Discord to communicate with C2 |
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
If an incident has already occurred, it is important to react quickly and launch an investigation. This will allow you to understand how attackers got into the company’s systems, isolate compromised resources from the corporate network, and rule out the possibility of a second attack along a similar vector. BI.ZONE specialists will help you address this with effective countermeasures and conduct further investigation.