A threat actor known as Paper Werewolf It has been observed that they are targeting only Russian entities and targeting new implants called new implants PowerModul.
The activities that took place between July and December 2024 have picked out organizations in the mass media, telecommunications, construction, government agencies and energy sectors, Kaspersky said in a new report released Thursday.
Paper Wedwolf, also known as Goffee, is rated as having run at least seven campaigns since 2022, according to bi.zone, and is primarily aimed at government, energy, finance, media and other organizations.
The attack chain attached by threat actors has been observed to incorporate destructive components, and intrusions go beyond the distribution of malware and change passwords belonging to employee accounts.
The attack itself is initiated via a phishing email containing a macro race lure document. When a macro opens and enables it, it begins to deploy PowerShell-based Remote Access Trojan, known as Powerrat.
The malware is designed to provide the following payload, a custom version of the Mythic Framework agent known as PowerTaskel and Qwakmyagent: Another tool in Arsenal in The Threat Actor is the malicious IIS module called Owowa. This is used to retrieve the Microsoft Outlook credentials entered by the web client user.
The latest attack set documented by Kaspersky begins with malicious RAR archive attachments containing executables using a Double Extension (*.pdf.exe or *.doc.exe) using PDF or Word documents. When the executable starts, the decoy file is downloaded from a remote server and displayed to the user, and the infection proceeds to the next stage in the background.
“The file itself is a Windows system file (Explorer.exe or xpsrchvw.exe), with some of the code patched with malicious shellcode.” “Shellcode is similar to what we saw in previous attacks, but also includes an obfuscated mythical agent that immediately begins communicating with the Command and Control (C2) server.”
The alternative attack sequence is much more elaborate, using a RAR archive that embeds Microsoft Office documents using a macro that acts as a dropper for deploying and launching PowerModul, a PowerShell script that can receive and execute additional PowerShell scripts from a C2 server.
The backdoor is said to have been in use since its inception in 2024, and threat actors first use it to download and run PowerTaskel on the compromised host. Some of the other payloads dropped by PowerModul are listed below –
- FlashFileGrabberIt is used to steal files from removable media such as flash drives and remove them to a C2 server
- FlashFileGrabberOfflinea variant of FlashFileGrabber that searches for removable media for files with specific extensions, and if found, copy it to a local disk in the “%TEMP%CachestoreConnectconnect” folder.
- USB Wormthis can infect removable media with a copy of PowerModul
PowerTaskel is functionally similar to PowerModul in that it is designed to run PowerShell scripts sent from a C2 server. However, you can also send information about the target environment in the form of a “check-in” message, or run other commands received from the C2 server as tasks. You are also ready to escalate privileges using the PSEXEC utility.
In at least one example, it is known that PowerTaskel not only replicates FlashFileGrabber functionality, but also uses the FolderFileGrabber component, which includes the ability to collect files over a hard-coding network path using the SMB protocol.
“For my first infection, I used a word document using a malicious VBA script for the first time,” says Kaspersky. “Recently, Guffy has observed that he is increasingly abandoning the use of Powertaskel in favour of binary mythology agents during lateral movements.”
The development has now resulted from another threat group that was attributed to a phishing campaign where another threat group, called Sapphire Wedwolf, distributes an updated version of Amethyst, a derivative of open source SapphireSealer.
Steeler said “gets credentials from various browsers like Telegram, Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa and Edge Chromium, as well as Filezilla and SSH configuration files,” the Russian company said, and documents can also be obtained with media stored on removable media.
