Fluffy Wolf causes much damage with unsophisticated attacks

The malware-as-a-service model paves the way for cybercriminals with a shallow grasp of technology. Easily available and affordable, such solutions drive down the cost of a cyberattack while social engineering ploys heighten the chance for its success

March 19, 2024

The BI.ZONE Threat Intelligence team has detected a previously unknown cluster, dubbed Fluffy Wolf, whose activity can be traced back to 2022. Since then, it has initiated at least 140 attacks on Russian companies. Although mediocre in terms of technical skills, these threat actors achieve their goals by using just two sets of tools: legitimate remote access services and inexpensive malware. To gain initial access to target infrastructures, the adversaries send out phishing emails with attachments disguised as reconciliation reports.

This simple and low‑cost approach has proved effective: our findings reveal that at least 5% of employees of Russian companies open hostile attachments and click links in phishing emails. Running a malicious campaign at a large scale is technically easy while opening the harmful attachment is enough to compromise an infrastructure. Not surprisingly, phishing was the weapon of choice for 68% of all targeted attacks on Russian organizations last year.

One of the latest campaigns by Fluffy Wolf began with the attackers sending out phishing emails on behalf of a construction firm. The message titled Reports to sign had an archive with the password included in the file name. The archive contained a malicious file disguised as a legitimate document.

When opened, the file triggered the installation of Meta Stealer and Remote Utilities. This enabled the threat actors to gain full control over the compromised computer and track the user’s actions, transmit files, run commands, and interact with the task scheduler.

Cybercriminals buy Meta Stealer on darknet forums or a special Telegram channel. The stealer can be obtained for as little as 150 dollars a month while a permanent license will cost 1,000 dollars. The license prices for Remote Utilities, a legitimate software, depend on the buyer’s needs and vary between 29 and 12,000 dollars, and there is also a basic version available for free. This is why the cost of an attack is very low.

Malware‑as‑a‑service solutions enable attackers with mediocre technical skills to advance attacks successfully. This drives the expansion of the threat landscape in Russia and other CIS countries.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

Meta Stealer is a clone of the popular RedLine stealer and is used for collecting different types of information, including credentials and cookies from Chromium- and Firefox‑like browsers, as well as data from the free FileZilla FTP server program, cryptocurrency wallets, and VPN clients. In contrast to RedLine, the developers of Meta Stealer do not prohibit its use in attacks on Russian and other CIS organizations.

Earlier, Fluffy Wolf used other malware-as-a-service solutions, including WarZone RAT that enabled the threat actors to gain control over the victim’s computer. In some cases, they installed XMRig, a cryptojacking software.

Cybercriminal groups steal authentication data for a variety of purposes. Thus, they can resell access to compromised systems, which enables a wide range of attack scenarios. In particular, adversaries can use ransomware and demand money for restoring infrastructure access. In 2023, the maximum amount of ransom demanded from a Russian company amounted to 5 million dollars.

To successfully withstand attacks similar to those of Fluffy Wolf, companies should combine several security solutions. The managed email security service BI.ZONE CESP will help to protect your organization from phishing. Even if a malicious link is clicked, BI.ZONE Secure DNS will prevent connection to the adversary server. Designed to guard against DNS‑based threats, this service is integrated with the BI.ZONE Threat Intelligence platform to receive information about malicious domains. The platform also provides the latest data on the threat landscape: the activity of threat actors, their tactics and techniques, malware, and exploited vulnerabilities. Companies rely on this information to enhance their cybersecurity posture and make strategic decisions.