Haste makes waste: Scaly Wolf’s attacks fail over a major blunder

Haste makes waste: Scaly Wolf’s attacks fail over a major blunder

Instead of the White Snake stealer, the group’s new loader installed a legitimate file on compromised devices
May 2, 2024

Scaly Wolf is notorious for its recurring attacks on organizations in Russia and Belarus. At the end of March, we recorded a spike in its activity with at least 6 phishing mailings sent out from different addresses. The group targeted government agencies, industrial and logistics enterprises.

Seeking to gain access to corporate data, the criminals used the White Snake stealer from their earlier campaigns. The malware can collect user credentials from browsers, record keystrokes, gain remote access to infected computers, copy documents, etc.

The attackers applied the same old scheme by masking phishing emails as official letters from federal agencies. After receiving a “notice from the regulator,” a victim was expected to open the attached ZIP archive. Previously, Scaly Wolf used to place the stealer into an archive. This time, however, the criminals opted for a malicious loader as a more sophisticated and seemingly more reliable method. When the archive was opened, the loader was supposed to inject itself into the File Explorer application and install the White Snake stealer.

The criminals upgraded the delivery method for their stealer to bypass defenses more effectively, but they were far too impatient. As a result, a legitimate explorer.exe file was copied to the system instead of the malware. That is, even if the archive was opened, the attackers could not achieve their main goal, which is to gain access to sensitive data and the compromised system.
Oleg Skulkin
Head of BI.ZONE Threat Intelligence

In the failed campaign, Scaly Wolf employed the latest version of White Snake that appeared on underground markets in late March. Back then, the stealer developers announced a spring sale, with a six‑month subscription down from $590 to $500, an annual subscription down from $1,100 to $800, and a lifetime license available for $1,000 rather than $1,950.

Last August, the developers informed that a customer had presumably modified their malware to evade the prohibition on attacks in Russia and other CIS countries. The statement followed the release of our research exploring the use of White Snake against Russian organizations. We believe that, with this statement, the developers wanted to avoid getting blocked on popular underground resources. The latest version of the stealer has no AntiCIS module.

In order to detect Scaly Wolf’s methods of gaining persistence on endpoints, we recommend implementing endpoint detection and response solutions, such as BI.ZONE EDR. Meanwhile, you can ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company with BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools.