Core Werewolf bolsters attacks against Russia’s defense industry and critical infrastructure

Core Werewolf has been attacking Russia’s defense enterprises and critical infrastructure organizations since at least August 2021. A month ago, the threat actor turned to a new “in‑house” solution, a loader written in the popular AutoIt programming language.

Members of Core Werewolf send out phishing emails with links to RAR archives which in turn contain self‑extracting archives (SFX). Each SFX contains a malicious script, a legitimate interpreter for running the script, and a decoy PDF document. If the user opens the archive to take a look at the “documents,” the content of the SFX file is extracted into a temporary folder (TEMP). After that, the AutoIt interpreter installs the loader that deploys malware at the compromised device.

In June, the group started experimenting with malware delivery methods. The potential victims are reached out not only by email, but also in instant messengers, mostly via Telegram.

To build robust defenses, companies should be aware of attacks targeting their industry and specific infrastructures. Information about the latest threats, attacker methods, tools, and malware delivery channels is provided by dedicated portals such as BI.ZONE Threat Intelligence. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect from the most critical threats to the company.