Venture Wolf attempts to disrupt Russian businesses with MetaStealer
BI.ZONE Threat Intelligence has discovered a previously unknown cluster whose activity can be traced back to November 2023. Dubbed Venture Wolf, the cluster employs multiple loaders to deliver MetaStealer to the target systems. The threat actor focuses on a range of industries including manufacturing, construction, IT, and telecommunications.
- Stealers maintain their position among the most popular types of malware employed by threat actors.
- As there are no “developer” restrictions on the use of certain malware programs against Russian companies, such programs gain higher recognition among various clusters of malicious activity.
- The authentication material obtained in the course of MetaStealer‑based campaigns can be used later to undertake more complex targeted attacks against the compromised organizations.
Venture Wolf disseminates archives containing a loader with the .com (and occasionally .exe) extension, as well as one or more phishing documents. After the launch, the loader either creates a dummy .NET file where it injects the malicious payload or injects it into the RegAsm.exe process.
The adversaries use various image (JPG and PNG) and text (PDF, DOC/DOCX, and ODT) files as decoys.
Company record.pdf
Company bank details.jpg
Individual entrepreneur record.png
The loaders are portable executable (PE) files. Their code is obfuscated, and the names of the WinAPI functions—employed for malicious code injections—are encrypted. Depending on the loader’s type, the malicious payload and the dummy .NET file are RC4‑encrypted and stored in the loader’s body. In most cases, the malicious payload is injected into the suspended process of the running dummy .NET file. It is worth mentioning that some loaders do not have a dummy file and inject the malicious payload into the RegAsm.exe process.
Depending on the loader’s type, the payload is decrypted and a randomly named dummy .NET file is created in the %TEMP% folder. The name is generated arbitrarily from the alphabet sequence set in the loader. Thus, the dummy .NET file name may contain Chinese characters. Notably, the dummy file does not contain any code in the Main function.
The names of the WinAPI functions (namely, CreateProcessW, VirtualAllocEx, WriteProcessMemory, Wow64SetThreadContext/SetThreadContext, ResumeThread)used for injecting the code into the running process are decrypted.
The MetaStealer malicious payload is also decrypted and injected into the process.
The injection of the malicious payload code goes as follows:
CreateProcessW с dwCreationFlags = 0×00000004 (CREATE_SUSPENDED)creates the process in the suspended mode of either the dummy .NET file orRegAsm.exeVirtualAllocExallocates memory in the suspended processWriteProcessMemorywrites the malicious payload into the allocated memory sectionWow64SetThreadContext/SetThreadContextchanges the thread context to set the entry point for the execution of the injected malicious payloadResumeThreadresumes the suspended process (transfers control over to the malicious payload)
We have also discovered multiple loaders with section names typical for various protectors: Enigma (.enigma1, .enigma2), VMProtect (.vmp0, .vmp1), Themida (.themida).
Section names in one of the loaders
However, such loaders are not defended by any of the mentioned protectors. This technique may be used to deceive the signature analysis tools or antivirus engines into issuing favorable verdicts.
The adversaries use MetaStealer as the payload. Written in C#, this malware is a fork of RedLine, yet another stealer. The key difference between the two is that MetaStealer’s developers do not prohibit its use in attacks against Russian and other CIS organizations.
When running, MetaStealer does the following:
- collects information about the compromised system, including the OS version and hardware specifications (hard disk, processor, and video controller specifications)
- retrieves data from a wide range of browsers, such as Edge, Chromium, Google Chrome, Opera, CentBrowser, Chedot, Vivaldi, Kometa, Yandex Browser, Sputnik Browser, Mozilla Firefox, etc.
- steals crypto wallet data from Electrum Bitcoin Wallet, Exodus Crypto Wallet, BTC, Electron, etc.
- retrieves data from such email clients as Mozilla Thunderbird
- obtains data from multiple applications, such as Steam and FileZilla
Notably, Venture Wolf uses the .NET Reactor protector to obfuscate the MetaStealer code.
155e444417cc138633bdbf2e95834165ef7295290f6da58a1cce3171b61ce2b426e0c7319a7f9c3ef6f65f8e585adcc3653c75ea231d87f63182b44cea5b13a1ab3ed0ffb87999202eb96a163cd50d4f5bd495f5bb09c09efec99b4d8b7abb94e970ace468aafefe060c00f948098f19e4f7d63ec893a14012a1721b8b208ddbd5c65e8217250cc4c1d8e762fa7102f14c243f28190d56f3e7f343c5fed7c8b2e58ff527e1f5775cd2c64ba1c46b8e70102f354cf1f3454c40efaa1b4cbb40d2e6372b17f1ad0887cb0f77beea5bcb6a16822449304b894641031dc407158ccabd7cdafc28e0d62cc85ab7e04e7b38e62414ef59d717b2c6f96d4c4490687f8e5045a339e6162d0f1d028c9b3ffd52f0f4b51e40a6d3070f38f343102efad5879fb6e7c76771c3d193e94af0c868f2e6ca7e6d864b03e2c20fb115d7554bbde77bacab7505d3cf673ba1c5c70bea697e5ad1af2142e9e7c1c5a1e2ecab24e479702dba8240bca174ef525002da51ce1b478aa5dd165a8e4033cfd17c8f7a761f6c43a06756179650fcbd257cf8221c9d99f9aa1da4b7014edb20ef5c8d160909477ff2f8bdbfbea420e16a37704b896c4dfe6d7ec5bc9a070f42a4d94e0bb97ac222ace386b09a505a9afc71d47f035ca957b288a9d61b375d6ef439098dbd46193.233.255[.]122:2314147.45.47[.]185:41702147.45.47[.]153:3605147.45.47[.]83:762277.91.68[.]6:2314
| Tactic | Technique | Procedure |
|---|---|---|
| Resource Development |
Obtain Capabilities: Malware |
Venture Wolf uses MetaStealer that can be purchased on underground websites and forums |
| Execution |
User Execution: Malicious File |
Venture Wolf uses ZIP and RAR archives containing an executable loader file with the |
| Defense Evasion |
Deobfuscate/Decode Files or Information |
Venture Wolf uses the loader to decrypt the dummy .NET file (no code in the |
|
Obfuscated Files or Information |
Venture Wolf uses the .NET Reactor protector to obfuscate MetaStealer |
|
|
Obfuscated Files or Information: Dynamic API Resolution |
Venture Wolf uses the loader, which decrypts the names of the WinAPI functions to inject malicious code into another process |
|
|
Obfuscated Files or Information: Stripped Payloads |
Venture Wolf uses MetaStealer where strings as well as the names of classes, methods, and variables are obfuscated. In some versions, delegates are used to obfuscate the called methods |
|
|
Obfuscated Files or Information: Encrypted/Encoded File |
Venture Wolf uses the loader with the RC4‑encrypted dummy .NET file and payload |
|
|
Process Injection: Portable Executable Injection |
Venture Wolf uses the loader to inject MetaStealer into the memory of the running dummy .NET file process (created by the loader). Venture Wolf uses the loader to inject MetaStealer into the memory of the |
|
|
Virtualization/Sandbox Evasion: Time Based Evasion |
Venture Wolf uses MetaStealer to check the local time of the first created event in the system event log and also to check the time of |
|
| Credential Access |
Credentials from Password Stores: Credentials from Web Browsers |
Venture Wolf uses MetaStealer to steal credentials from various web browsers |
|
Steal Application Access Token |
Venture Wolf uses MetaStealer to get Discord access tokens |
|
|
Steal Web Session Cookie |
Venture Wolf uses MetaStealer to collect cookies from Chromium- and Firefox‑like browsers |
|
|
Unsecured Credentials: Credentials In Files |
Venture Wolf uses MetaStealer to access files containing authentication credentials |
|
| Discovery |
Browser Information Discovery |
Venture Wolf uses MetaStealer to get various browser files |
|
File and Directory Discovery |
Venture Wolf uses MetaStealer to collect information about files and directories specified in the configuration received from the C2 server |
|
|
Process Discovery |
Venture Wolf uses MetaStealer to discover the processes running on the compromised host |
|
|
Query Registry |
Venture Wolf uses MetaStealer to query OS registry keys and obtain information about the installed OS Windows version, applications, and browsers |
|
|
Software Discovery |
Venture Wolf uses MetaStealer to get information about the applications installed on the compromised host |
|
|
Software Discovery: Security Software Discovery |
Venture Wolf uses MetaStealer to send WMI queries in order to discover whether the compromised host is protected by an antivirus |
|
|
System Information Discovery |
Venture Wolf uses MetaStealer to collect system information, such as OS version and hardware (hard disk, processor, video controller) specifications |
|
|
System Location Discovery |
Venture Wolf uses MetaStealer to obtain the external IP address of the compromised host by querying |
|
|
System Location Discovery: System Language Discovery |
Venture Wolf uses MetaStealer to learn the language settings of the compromised host |
|
| Collection |
Data from Local System |
Venture Wolf uses MetaStealer to gather data from various applications, including instant messengers (Telegram, Discord), VPN (OpenVPN, NordVPN, Proton VPN), crypto wallets, Steam, Battle.net, Thunderbird, and FileZilla |
|
Screen Capture |
Venture Wolf uses MetaStealer to capture desktop screenshots and send them to the C2 server |
|
| Command and Control |
Non-Application Layer Protocol |
Venture Wolf uses MetaStealer to employ the |
|
Non-Standard Port |
Venture Wolf uses MetaStealer with network ports 2314, 3605, 7622, 41702 to communicate with the C2 server |
|
| Exfiltration |
Automated Exfiltration |
Venture Wolf uses MetaStealer for the automated exfiltration of data collected on the compromised host |
|
Exfiltration Over C2 Channel |
Venture Wolf uses MetaStealer to exfiltrate the stolen data over to the C2 server |
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_unsigned_file_with_com_extension_was_executedwin_discovery_system_informationwin_possible_browser_stealer_activitywin_suspicious_access_to_software_sensitive_filesgen_ti_wolfs_network_ioc_was_detectedgen_ti_wolfs_hash_was_detected
Phishing emails are a popular way of breaching the security perimeter of organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of legitimate messages.
To stay ahead of threat actors, you need to understand their methods and tools and take this information into account when assessing the threat landscape of your organization. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. It provides information about the current attacks, threat actors, their tactics, techniques, and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.