A threat actor known as Paper Werewolf has been observed targeting Russian groups with a new implant called PowerModul.
The activities that took place between July and December 2024 have picked out organizations in the mass media, telecommunications, construction, government agencies and energy sectors, Kaspersky said in a new report released Thursday.
Paper Wedwolf, also known as Goffee, is rated as having run at least seven campaigns since 2022, according to bi.zone, and is primarily targeted at government, energy, finance, media and other organizations.
The attack chain attached by threat actors has been observed to incorporate destructive components, and intrusions go beyond the distribution of malware and change passwords belonging to employee accounts.
The attack itself is initiated via a phishing email containing the macro race lure document. When a macro opens and enables it, it begins to deploy PowerShell-based Remote Access Trojan, known as Powerrat.
The malware is designed to provide the following payload, a custom version of the Mythic Framework agent known as PowerTaskel and Qwakmyagent: Another tool in Arsenal in The Threat Actor is the malicious IIS module called Owowa. This is used to retrieve the Microsoft Outlook credentials entered by the web client user.
The latest attack set documented by Kaspersky begins with malicious RAR archive attachments containing executables using a Double Extension (*.pdf.exe or *.doc.exe) using PDF or Word documents. When the executable starts, the decoy file is downloaded from a remote server and displayed to the user, and the infection proceeds to the next stage in the background.
“The file itself is a Windows system file (Explorer.exe or xpsrchvw.exe), with some of the code patched with malicious shellcode.” “Shellcode is similar to what we saw in previous attacks, but also includes an obfuscated mythical agent that immediately begins communicating with the Command and Control (C2) server.”
The alternative attack sequence is much more elaborate, using a RAR archive that embeds Microsoft Office documents using a macro that acts as a dropper for deploying and launching PowerModul, a PowerShell script that can receive and execute additional PowerShell scripts from a C2 server.
The backdoor is said to have been in use since its inception in 2024, and threat actors first use it to download and run PowerTaskel on the compromised host. Some of the other payloads dropped by PowerModul are listed below –
Removable media with a copy of flashfilegrabber PowerModul, which is used to steal files such as flash-driven, a variant of FlashFileGrabber that steals files from removable media such as flash drives and searches for media that can place files with specific extensions, and copies them to a local disk within “cacheStore \cate furm in fund in the scuckestre \in focused fow in full in full in full in the scuckestre \checestore”.
PowerTaskel is functionally similar to PowerModul in that it is designed to run PowerShell scripts sent from a C2 server. However, you can also send information about the target environment in the form of a “check-in” message, or run other commands received from the C2 server as tasks. You are also ready to escalate privileges using the PSEXEC utility.
In at least one example, it is known that PowerTaskel not only replicates FlashFileGrabber functionality, but also uses the FolderFileGrabber component, which includes the ability to collect files over a hard-coding network path using the SMB protocol.
“For my first infection, I used a word document using a malicious VBA script for the first time,” says Kaspersky. “Recently, Guffy has observed that he is increasingly abandoning the use of Powertaskel in favour of binary mythology agents during lateral movements.”
This development is now attributed to another threat group that Bi.Zone is called Sapphire Werewolf, which is caused by a phishing campaign.
Steeler said “gets credentials from various browsers like Telegram, Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa and Edge Chromium, as well as Filezilla and SSH configuration files,” said the Russian company, which also has documents that contain media stored on removable media.
Source link
