Venture Wolf attempts to disrupt Russian businesses with MetaStealer
BI.ZONE Threat Intelligence has discovered a previously unknown cluster whose activity can be traced back to November 2023. Dubbed Venture Wolf, the cluster employs multiple loaders to deliver MetaStealer to the target systems. The threat actor focuses on a range of industries, including manufacturing, construction, IT, and telecommunications.
- Stealers maintain their position among the most popular types of malware employed by threat actors.
- As there are no “developer” restrictions on the use of certain malware programs against Russian companies, such programs gain higher recognition among various clusters of malicious activity.
- The authentication material obtained in the course of MetaStealer‑based campaigns can be used later to undertake more complex targeted attacks against the compromised organizations.
Venture Wolf disseminates archives containing a loader with the .com
(and occasionally .exe
) extension, as well as one or more phishing documents. After the launch, the loader either creates a dummy .NET file where it injects the malicious payload or injects it into the RegAsm.exe
process.
The adversaries use various image (JPG and PNG) and text (PDF, DOC/DOCX, and ODT) files as decoys.
Company record.pdf
Company bank details.jpg
Individual entrepreneur record.png
The loaders are portable executable (PE) files. Their code is obfuscated, and the names of the WinAPI functions—employed for malicious code injections—are encrypted. Depending on the loader’s type, the malicious payload and the dummy .NET file are RC4‑encrypted and stored in the loader’s body. In most cases, the malicious payload is injected into the suspended process of the running dummy .NET file. It is worth mentioning that some loaders do not have a dummy file and inject the malicious payload into the RegAsm.exe
process.
Depending on the loader’s type, the payload is decrypted and a randomly named dummy .NET file is created in the %TEMP%
folder. The name is generated arbitrarily from the alphabet sequence set in the loader. Thus, the dummy .NET file name may contain Chinese characters. Notably, the dummy file does not contain any code in the Main
function.
The names of the WinAPI functions (namely, CreateProcessW
, VirtualAllocEx
, WriteProcessMemory
, Wow64SetThreadContext/SetThreadContext
, ResumeThread
) used for injecting the code into the running process are decrypted.
The MetaStealer malicious payload is also decrypted and injected into the process.
The injection of the malicious payload code goes as follows:
CreateProcessW
withdwCreationFlags
=0×00000004
(CREATE_SUSPENDED
) creates the process in the suspended mode of either the dummy .NET file orRegAsm.exe
.VirtualAllocEx
allocates memory in the suspended process.WriteProcessMemory
writes the malicious payload into the allocated memory section.Wow64SetThreadContext
/SetThreadContext
changes the thread context to set the entry point for the execution of the injected malicious payload.ResumeThread
resumes the suspended process (transfers control over to the malicious payload).
We have also discovered multiple loaders with section names typical of various protectors: Enigma (.enigma1
, .enigma2
), VMProtect (.vmp0
, .vmp1
), Themida (.themida
).
However, such loaders are not defended by any of the mentioned protectors. This technique may be used to deceive the signature analysis tools or antivirus engines into issuing favorable verdicts.
The adversaries use MetaStealer as the payload. Written in C#, this malware is a fork of RedLine, yet another stealer. The key difference between the two is that MetaStealer’s developers do not prohibit its use in attacks against Russian and other CIS organizations.
When running, MetaStealer does the following:
- collects information about the compromised system, including the OS version and hardware specifications (hard disk, processor, and video controller specifications)
- retrieves data from a wide range of browsers, such as Edge, Chromium, Google Chrome, Opera, CentBrowser, Chedot, Vivaldi, Kometa, Yandex Browser, Sputnik Browser, Mozilla Firefox, etc.
- steals crypto wallet data from Electrum Bitcoin Wallet, Exodus Crypto Wallet, BTC, Electron, etc.
- retrieves data from such email clients as Mozilla Thunderbird
- obtains data from multiple applications, such as Steam and FileZilla
Notably, Venture Wolf uses the .NET Reactor protector to obfuscate the MetaStealer code.
155e444417cc138633bdbf2e95834165ef7295290f6da58a1cce3171b61ce2b4
26e0c7319a7f9c3ef6f65f8e585adcc3653c75ea231d87f63182b44cea5b13a1
ab3ed0ffb87999202eb96a163cd50d4f5bd495f5bb09c09efec99b4d8b7abb94
e970ace468aafefe060c00f948098f19e4f7d63ec893a14012a1721b8b208ddb
d5c65e8217250cc4c1d8e762fa7102f14c243f28190d56f3e7f343c5fed7c8b2
e58ff527e1f5775cd2c64ba1c46b8e70102f354cf1f3454c40efaa1b4cbb40d2
e6372b17f1ad0887cb0f77beea5bcb6a16822449304b894641031dc407158cca
bd7cdafc28e0d62cc85ab7e04e7b38e62414ef59d717b2c6f96d4c4490687f8e
5045a339e6162d0f1d028c9b3ffd52f0f4b51e40a6d3070f38f343102efad587
9fb6e7c76771c3d193e94af0c868f2e6ca7e6d864b03e2c20fb115d7554bbde7
7bacab7505d3cf673ba1c5c70bea697e5ad1af2142e9e7c1c5a1e2ecab24e479
702dba8240bca174ef525002da51ce1b478aa5dd165a8e4033cfd17c8f7a761f
6c43a06756179650fcbd257cf8221c9d99f9aa1da4b7014edb20ef5c8d160909
477ff2f8bdbfbea420e16a37704b896c4dfe6d7ec5bc9a070f42a4d94e0bb97a
c222ace386b09a505a9afc71d47f035ca957b288a9d61b375d6ef439098dbd46
193.233.255[.]122:2314
147.45.47[.]185:41702
147.45.47[.]153:3605
147.45.47[.]83:7622
77.91.68[.]6:2314
Tactic | Technique | Procedure |
---|---|---|
Resource Development |
Obtain Capabilities: Malware |
Venture Wolf uses MetaStealer that can be purchased on underground websites and forums |
Execution |
User Execution: Malicious File |
Venture Wolf uses ZIP and RAR archives containing an executable loader file with the |
Defense Evasion |
Deobfuscate/Decode Files or Information |
Venture Wolf uses the loader to decrypt the dummy .NET file (no code in the |
Obfuscated Files or Information |
Venture Wolf uses the .NET Reactor protector to obfuscate MetaStealer |
|
Obfuscated Files or Information: Dynamic API Resolution |
Venture Wolf uses the loader which decrypts the names of the WinAPI functions to inject malicious code into another process |
|
Obfuscated Files or Information: Stripped Payloads |
Venture Wolf uses MetaStealer where strings as well as the names of classes, methods, and variables are obfuscated. In some versions, delegates are used to obfuscate the called methods |
|
Obfuscated Files or Information: Encrypted/Encoded File |
Venture Wolf uses the loader with the RC4‑encrypted dummy .NET file and payload |
|
Process Injection: Portable Executable Injection |
Venture Wolf uses the loader to inject MetaStealer into the memory of the running dummy .NET file process (created by the loader). Venture Wolf uses the loader to inject MetaStealer into the memory of the |
|
Virtualization/Sandbox Evasion: Time Based Evasion |
Venture Wolf uses MetaStealer to check the local time of the first created event in the system event log and also to check the time of |
|
Credential Access |
Credentials from Password Stores: Credentials from Web Browsers |
Venture Wolf uses MetaStealer to steal credentials from various web browsers |
Steal Application Access Token |
Venture Wolf uses MetaStealer to get Discord access tokens |
|
Steal Web Session Cookie |
Venture Wolf uses MetaStealer to collect cookies from Chromium- and Firefox‑like browsers |
|
Unsecured Credentials: Credentials In Files |
Venture Wolf uses MetaStealer to access files containing credentials |
|
Discovery |
Browser Information Discovery |
Venture Wolf uses MetaStealer to get various browser files |
File and Directory Discovery |
Venture Wolf uses MetaStealer to collect information about files and directories specified in the configuration received from the C2 server |
|
Process Discovery |
Venture Wolf uses MetaStealer to discover the processes running on the compromised host |
|
Query Registry |
Venture Wolf uses MetaStealer to query OS registry keys and obtain information about the installed OS Windows version, applications, and browsers |
|
Software Discovery |
Venture Wolf uses MetaStealer to get information about the applications installed on the compromised host |
|
Software Discovery: Security Software Discovery |
Venture Wolf uses MetaStealer to send WMI queries in order to discover whether the compromised host is protected by an antivirus |
|
System Information Discovery |
Venture Wolf uses MetaStealer to collect system information, such as OS version and hardware (hard disk, processor, video controller) specifications |
|
System Location Discovery |
Venture Wolf uses MetaStealer to obtain the external IP address of the compromised host by querying |
|
System Location Discovery: System Language Discovery |
Venture Wolf uses MetaStealer to learn the language settings of the compromised host |
|
Collection |
Data from Local System |
Venture Wolf uses MetaStealer to gather data from various applications, including instant messengers (Telegram, Discord), VPN (OpenVPN, NordVPN, Proton VPN), crypto wallets, Steam, Battle.net, Thunderbird, and FileZilla |
Screen Capture |
Venture Wolf uses MetaStealer to capture desktop screenshots and send them to the C2 server |
|
Command and Control |
Non-Application Layer Protocol |
Venture Wolf uses MetaStealer to employ the |
Non-Standard Port |
Venture Wolf uses MetaStealer with network ports 2314, 3605, 7622, 41702 to communicate with the C2 server |
|
Exfiltration |
Automated Exfiltration |
Venture Wolf uses MetaStealer for the automated exfiltration of data collected on the compromised host |
Exfiltration Over C2 Channel |
Venture Wolf uses MetaStealer to exfiltrate the stolen data over to the C2 server |
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_unsigned_file_with_com_extension_was_executed
win_discovery_system_information
win_possible_browser_stealer_activity
win_suspicious_access_to_software_sensitive_files
gen_ti_wolfs_network_ioc_was_detected
gen_ti_wolfs_hash_was_detected
Phishing emails are a popular way of breaching the security perimeter of organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of legitimate messages.
To stay ahead of threat actors, you need to understand their methods and tools and take this information into account when assessing the threat landscape of your organization. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. It provides information about the current attacks, threat actors, their tactics, techniques, and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.