Scaly Wolf uses White Snake stealer against Russian industry
The BI.ZONE Threat Intelligence team has identified at least a dozen campaigns linked to Scaly Wolf. The impact spreads across organizations from various industries in Russia, including manufacturing and logistics.
One of the group's characteristics in gaining initial access is their phishing emails designed to look like legitimate correspondence from Russian public authorities. Its phishing arsenal includes regulatory requirements and inquiries from Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media), the Investigative Committee, and the Military Prosecutor’s Office, court orders, and other regulatory prescriptions. In rare cases, attackers disguise the letters as sales proposals. It should be noted that in all cases, the text from the email sounds official and well put together, which makes the mailing convincing, builds user trust, and encourages the user to launch a malicious attachment. The attack results in the system being infected with the White Snake stealer and the subsequent theft of corporate data. We wrote about this earlier.
- Stealers remain one of the most popular types of malware distributed by attackers. Many of them now have additional features, which allows stealers to be used effectively for targeted and sophisticated attacks.
- The malware-as-a-service model enables the attackers to avoid wasting time on developing malware and just get the finished product. Similar to legitimate software, cracked versions of commercial malware often end up in the public domain.
- Despite the bans by many developers to distribute their malware in Russia and other CIS countries, attackers find ways to modify and use it in these regions. This once again emphasizes the importance of monitoring underground networks in order to identify such threats before they are implemented against Russian organizations.
As mentioned earlier, White Snake is the weapon of choice for Scaly Wolf, which is certainly another distinctive characteristic of the group. The stealer first surfaced in February 2023 on the darknet as a tool for targeted attacks. White Snake is also distributed through a dedicated channel in Telegram.
The stealer can cost as little as $140 per month. In addition, adversaries do not even need experience in operating it. Therefore, an attack with this malware can be made as easy as renting it. This generates a high demand for the program. The ability to rent or purchase this class of malware significantly reduces the level of expertise required for attackers to execute targeted attacks.
White Snake can be run cross-platform using a downloader written in Python. On the Windows platform, the stealer implements the following features:
- Remote access trojan
- XML-based customization
- Keylogger for stealing keystroke data
A successful attack can allow the adversary to gain access to multiple corporate resources, such as a mail server and a CRM. The malware can collect authentication data (passwords stored in browsers and other applications, cryptocurrency wallet data), copy files, record keystrokes, and remotely access the compromised device. Besides, the stealer uses the Serveo.net service for SSH access to the infected machine, enabling the criminal to execute commands on the compromised host, including the download of additional modules for post-exploitation tasks. Another feature of White Snake is to send notifications about newly infected devices to the Telegram bot.
With the appearance of White Snake on the black market, BI.ZONE Threat Intelligence began to monitor its activity online and its use against various organizations. Despite all the prohibitions to employ the stealer against the CIS countries, attacks on Russian organizations have been detected. The discovered activity clearly showed a similar set of tactics, techniques, and procedures (TTPs), which is why some of the attacks involving White Snake were attributed to the Scaly Wolf group. A distinctive approach for the group is to send phishing emails that are similar in design and pose as genuine government correspondence. Another typical characteristic is that the malware is almost always in a protected ZIP archive, with the password contained in the archive file name. For example, Требование CK от 08.08.23 ПАРОЛЬ — 123123123.zip (the password being 123123123).
June
Scaly Wolf first made itself known in June 2023, targeting Russian organizations under the guise of a Roskomnadzor requirement. Back then, the BI.ZONE Threat Intelligence team paid close attention to the White Snake activity and later began tracking the group behind it. As part of the campaign, the victim received a phishing email with an attached archive Требование Роскомнадзор № 02-12143(пароль-12121212).rar (a Roskomnadzor requirement) containing the following files:
Требование РОСКОМНАДЗОР № 02-12143.odt- Attachment to the Roskomnadzor requirement
РОСКОМНАДЗОР.png
The first file (fig. 1) is a phishing document that aims to lure the victim into opening the second file, which is the White Snake stealer.
Fig. 1. Text from the phishing document
July
We identified a new White Snake phishing email purportedly from the Investigative Committee of the Russian Federation. The subject line of the email (fig. 2) mentioned a criminal investigation related to a tax evasion (Investigative Committee inquiry in connection with a tax evasion investigation). Attached to it was a password-protected archive Запрос ГСУ СК РФ Уклонение от налогов № 7711 от 18.07.2023 пароль 12121313.zip (a tax evasion inquiry from the Investigative Committee). Inside were the following documents:
Права и обязанности и процедура ст. 164, 170, 183 УПК РФ.rtf(the rights, obligations, and procedure under the Criminal Procedure Code of the Russian Federation)Перечень предприяти, уклонения от уплаты налогов, банковские счета, суммы уклонения, схема.exe(details about organizations suspected of tax evasion)
Like in the June campaign, the second file was masked as an attachment to a harmless document, although in fact it was the stealer.
Fig. 2. Text from the phishing email
August
The criminals continued to push the Investigative Committee ploy. On August 7, a new email was found to distribute White Snake under the pretense of sharing a requirement from the Investigative Committee (fig. 3). The following archives were attached to the mailing:
Требование CK от 08.08.23 ПАРОЛЬ — 123123123.zipТребование CK от 07.08.23 ПАРОЛЬ — 12312312.zip
The archives also contained documents like Требование CK от 07.08.23 ПАРОЛЬ — 12312312\ГCУ CK PФ запрос.docx (an Investigative Committee inquiry) and an executable file Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe (legal entities and individuals suspected of evasion, sums of evasion).
Fig. 3. Text from a phishing document
September
On September 1, we detected a new wave of White Snake attacks. The adversaries decided to move away from scary topics related to Roskomnadzor or the Investigative Committee, at least temporarily. This time the letters were sent out under the guise of a sales proposal. A potential victim would receive a phishing email with a password-protected archive that could have the following names:
КП от 01.09.23 (Пароль к архиву — 121212).zip(a sales proposal with the archive password)КП от 01.09.23 (пароль к архиву — 121212).rar(a sales proposal with the archive password)КП 12119- тех.док.rar(a sales proposal)
In the September 6 mailing, the archive still contained a malicious executable disguised as a document attachment. However, on September 12, the file had the CMD extension:
C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa1872.39116\SP 12119- tech.doc.cmd" "
October
The Scaly Wolf group decided to continue distributing emails with intimidating content. Starting from October 2, they went back to sending phishing emails on behalf of the Investigative Committee. The emails talked about a criminal investigation, among them, the following subject lines:
- Investigation inquiry in connection with criminal case No. 11091007706001194, Russia's Investigative Committee
- Investigation inquiry in connection with criminal case No. 11091007706001194, the Investigative Committee of the Russian Federation
- Investigation requirement under criminal case No. 11091007706011194, Russia's Investigative Committee
- Investigation inquiry under criminal case No. 11091007706011194, the Investigative Committee of the Russian Federation
The letter was accompanied by a PDF Запрос следователя (уклонение от уплаты налогов) — копия.pdf (an investigator's tax evasion inquiry) designed to divert the victim’s attention (fig. 4). It stated that the addressee should appear before the Investigative Committee for questioning as a witness in a forged documents case.
Like previously, the malicious executable file (fig. 5) was located together with the benign documents in the archive.
In addition to this file, there was an archive called Трeбoвaниe 19098 СК РФ от 07.09.23 ПАРОЛЬ — 123123123.zip (another requirement of the Investigative Committee) with the White Snake stealer under the following file names:
Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe(legal entities and individuals suspected of tax evasion, sums of evasion)Перечень юридических лиц и предприятий, уклонение от уплаты налогов, требования и дополнительные материалы.exe(details about legal entities and enterprises suspected of tax evasion)
Fig. 4. Attachments to a phishing email
Fig. 5. Phishing document
On October 16, a similar email was discovered also containing a PDF file and an archive (fig. 6).
Fig. 6. Phishing email with attachments
November
Throughout November, we continued to come across new malicious email campaigns with the White Snake stealer. For example, on November 2, the group started distributing emails informing potential victims about a court order. However, the attackers did not use an archive and immediately attached the executable file Постановление о производстве выемки и прилагаемые к запросу материалы.exe (an order of seizure and the materials relevant to the inquiry).
On November 13, the threat actors returned to their tested method of phishing and social engineering; namely, sending emails disguised as requirements from the Investigative Committee. Just as before, a victim received a password-protected archive named Трeбoвaниe 19225 СК РФ от 31.10.2023 ПАРОЛЬ — 11223344.zip (an Investigative Committee requirement) (fig. 7), which in turn contained more documents and the executable file Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe (legal entities and individuals suspected of evasion, sums of evasion).
Fig. 7. Attachments to phishing email
That same month, on November 20, we discovered a new email trying to conceal the White Snake stealer as regulatory documents. This time, the attackers asked to provide supplements for a contract attached to the email. In actual fact, the attachment contained an archive with an executable PE file inside (fig. 8).
Fig. 8. Text from the phishing email
January 2024
After a short break in December, the group returned in early 2024. While earlier the attackers pretended to be the Investigative Committee of the Russian Federation and Roskomnadzor, the new campaign was crafted around the Military Prosecutor’s Office of the Russian Federation. The subject lines in this campaign went as follows:
- Seizure pursuant to the investigation of criminal case No. 111801400013001322, the Military Prosecutor's Office of the Russian Federation
- Requirement pursuant to the investigation of criminal case No. 111801400013001322 MPO RF
- Seizure pursuant to the investigation of criminal case No. 111801400013001322 MPO RF
Figure 9 shows the email enclosed with an archive named Постановление о производстве выемки (ЄЦП) — пароль 1628.zip (an order of seizure), which contained the document Права и обязанности и процедура ст. 164, 170, 183 УПК РФ.rtf (the rights, obligations, and procedure under the Criminal Procedure Code of the Russian Federation), and the executable file Постановление о производстве выемки (электронная цифровая подпись).exe (an order of seizure).
Fig. 9. Attachments to the phishing email
We continue to witness a growing threat from various cybercriminal groups around the world, and this is no less true for the Russian region. Meanwhile, on the black market, the malware is becoming more affordable to lesser qualified adversaries, which only contributes to the flurry of threat actors and an increase in the number of targeted attacks. Scaly Wolf is one such group that our threat intelligence has been tracking for more than half a year.
Through their continuous dissemination of the White Snake stealer, the group is beginning to pose a serious threat to Russian business. Moreover, the fact that the attackers repeatedly send emails under the guise of public authorities, especially the Investigative Committee, indicates that their scheme is working and their campaigns are successful. Judging by the attacks already carried out in January 2024, Scaly Wolf will continue its attempts to compromise Russian companies and may remain out on the hunt for quite some time.
135.181.98.45164.132.115.918.218.18.183f3224cff0d7d5a9487dd405aa53217992c4a11616cc9990ce1745bc1b008c3fed18aa5d58656fffd7a2a0a3d7f6f4e011bf0f39b8f89701b0e5263951e1ce90c7721e208d790b836c4ae2ac3e7dde1ff799953e62932d9e418acfeecfcff43caebbefe31a1486ed1a2f70538380dc899c2b0d704028cde9ba4dbf64b91293e3a8294f2ac1971d55b08b3cbed419929c24998d986b8d4ab5a126f6a901646ef99f076bc181ea521bb494b799203945af4f2db1635b20cef395ad67819dd397f7b123aaddb10f1715bff99617342df9cec7bb68d61abbc502f18938a7dcf0a42165f227b976bd5303358e28a62103b7cc15210efdfa640b8e754f757690a716edb43eb634a7c80730889d64e6b13987a5bb4068dd463bc728db08d1eba3499d8d156393c8cbea881f8382d195682787254bb576cc4b370410eb94fd93a00a82ee8
More information, including indicators, threat actor description, TTPs, and tools are available on BI.ZONE Threat Intelligence.
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access |
Phishing: Spearphishing Attachment |
Scaly Wolf uses malicious attachments to gain initial access |
| Execution |
User Execution: Malicious File |
A victim needs to open the malicious file to initiate the compromise process |
|
Command and Scripting Interpreter: Windows Command Shell |
White Snake uses the Windows command line to execute scripts |
|
|
Native API |
White Snake uses Windows APIs to intercept keystrokes, create screenshots, and decrypt user data |
|
| Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
White Snake can replicate itself in |
|
Scheduled Task/Job: Scheduled Task |
White Snake creates tasks in the scheduler to gain further persistence in the compromised system: |
|
| Defense Evasion |
Obfuscated Files or Information |
White Snake uses string encryption and method name obfuscation |
|
File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
White Snake sets the executable file inside the directory |
|
|
Obfuscated Files or Information: Binary Padding |
The size of the White Snake executable file is about 1 GB |
|
|
Indicator Removal: File Deletion |
White Snake deletes itself after launching and copying the body to a new location |
|
|
Impersonation |
Scaly Wolf distributes phishing emails under the pretense of Russian government agencies |
|
|
Virtualization/Sandbox Evasion: System Checks |
White Snake performs checks on the compromised system to identify a virtual environment |
|
| Credential Access |
Credentials from Password Stores: Credentials from Web Browsers |
White Snake gets credentials from Chromium and Firefox type browsers using the relative paths specified in the configuration |
|
Credentials from Password Stores: Windows Credential Manager |
White Snake can retrieve data from the internal Windows password vault |
|
|
Input Capture: Keylogging |
White Snake can intercept user keystrokes |
|
|
Unsecured Credentials: Credentials In Files |
White Snake can access any files, including those containing authentication data |
|
|
Unsecured Credentials: Credentials in Registry |
White Snake can access any registry keys specified in the configuration |
|
| Discovery |
File and Directory Discovery |
White Snake collects files from the compromised system using a particular mask specified in the configuration |
|
Process Discovery |
White Snake collects information about the compromised system, including a list of running processes and sends it to the C2 server |
|
|
Query Registry |
White Snake can access any registry keys specified in the configuration in XML format to collect data |
|
|
Software Discovery |
White Snake collects information about the applications installed in the system and sends it to the C2 server |
|
|
System Information Discovery |
White Snake collects information about the compromised system, including the operating system version, device name, manufacturer and model, processor and graphics card name |
|
|
System Location Discovery |
White Snake collects information about the compromised system, including the country region, through a request to http://ip-api.com/line?fields=query,country and sends it to the C2 server |
|
|
System Network Configuration Discovery |
White Snake collects information about the compromised system, including the IP address, through a request to http://ip-api.com/line?fields=query,country and sends it to the C2 server |
|
|
System Owner/User Discovery |
White Snake collects information about the compromised system, including the username, and sends it to the C2 server |
|
|
System Time Discovery |
White Snake receives current clock information on the device |
|
| Lateral Movement |
Lateral Tool Transfer |
White Snake can replicate itself on external media |
| Collection |
Archive Collected Data |
White Snake encrypts data using RSA before sending it to the server |
|
Audio Capture |
White Snake can use a microphone to capture sound |
|
|
Data from Local System |
White Snake can copy files from the compromised system |
|
|
Screen Capture |
White Snake can take screen captures |
|
|
Video Capture |
White Snake can use the camera to record videos |
|
| Command and Control |
Application Layer Protocol: Web Protocols |
White Snake uses the HTTP/HTTPS to transmit data |
|
Data Encoding |
White Snake encodes the created screenshots in Base64 and sends them to the C2 server |
|
|
Encrypted Channel: Asymmetric Cryptography |
White Snake uses RSA to encrypt transmitted data |
|
|
Ingress Tool Transfer |
White Snake uploads additional malware to the compromised system |
|
|
Non-Standard Port |
White Snake initializes a Tor network node on a random port between 2000 and 7000 |
|
|
Proxy: Multi-hop Proxy |
White Snake initializes a Tor network node on a random port to transmit data |
|
| Exfiltration |
Exfiltration Over C2 Channel |
White Snake transmits the collected data to the C2 server |
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
To better understand the current cyber threat landscape and realize exactly how infrastructures similar to yours are being attacked, we recommend leveraging the data from BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.