Bloody Wolf strikes organizations in Kazakhstan with STRRAT commercial malware

Since late 2023, BI.ZONE Threat Intelligence experts have been tracking the activity of Bloody Wolf. The cluster attacks organizations in Kazakhstan with STRRAT, a commercial malware also known as Strigoi Master. The attackers send out phishing emails on behalf of the Ministry of Finance of the Republic of Kazakhstan and other agencies. The emails have PDF attachments with download links for the malware and for a Java interpreter installation guide (the program supports malware operation).

Key findings

1. The adversaries continue to experiment with commercial malware to advance attacks on a variety of organizations.
2. Using less common file types such as JAR enables the attackers to bypass defenses.
3. Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions.

Campaign

The victim receives a phishing email with a PDF attachment posing as a non-compliance notice and containing links to malicious JAR files.

Excerpt from the circulated phishing document

The document also provides two links to an installation guide for the Java interpreter required for the malware to function.

Links to the Java interpreter installation guide

It is noteworthy that the second link redirects to the country’s government website that encourages visitors to install Java for the correct operation of the e-government portal.

Guide posted on the government website

The malicious files are hosted on a phishing resource within the egov-kz[.]online domain mimicking the website of the Kazakhstan government. The files are the samples of STRRAT malware that could earlier be purchased on underground resources for $80.

Once launched, the STRRAT sample downloads the dependencies, including system-hook keylogger libraries that are publicly accessible on GitHub.

The malware copies its own file to C:\Users\[user]\AppData\Roaming.

If the respective command line arguments are available, the program creates a file to identify the port to connect to. The file would be placed in the directory C:\Users\[user]\ as [port]lock.file. In case the argument has not been passed, the information is retrieved from the configuration located at resources\config.txt. In the case being reviewed, the port number is 15270.

If the configuration has the required option, a task is created in the scheduler to run every 30 minutes. The task is named to look legitimate and resemble the Skype application.

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\1CUpdaterKZ.jar"

If the configuration has the required option, a parameter for achieving persistence is created in the register key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

If the configuration has the required option, a copy of the malicious file is created in the startup directory, for example C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1CUpdaterKZ.jar.

Running the file from the new location initializes a connection to the C2 server, in particular https://pastebin[.]com/raw/dFKy3ZDm:13570 and https://pastebin[.]com/raw/dLzt4tRB:13569.

The malware collects information about the system, including the device name and supported languages by addressing the registry keys HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME and HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS, respectively.

Besides, the malware sends WMI queries with the command wmic.exe to retrieve data about disks, architecture, operating system version, and antivirus software:

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"

STRRAT can process a range of commands from the C2 server, namely:

• Reboot the system with exe /c shutdown /r /t 0.
• Shut down the system with exe /c shutdown /s /t 0.
• Remove malware components from the compromised system.
• Download and execute additional files from the specified network locations.
• Download and execute files from the C2 server. The malware can run Visual Basic, JavaScript, and WSF files with the command wscript [downloaded file name], compiled Java files with exe -jar [downloaded file name], and common executables with cmd.exe /c [downloaded file name].
• Run commands interactively at the Windows command line.
• Run commands interactively through the PowerShell interpreter.
• Manage remotely the files in the compromised system with exe /c [file path] and other commands.
• Intercept keystrokes using the system-hook library.
• Retrieve a list of running processes with the command exe /c wmic /node:. /namespace:’\\root\cimv2’ path win32_process get name,processed,commandline /format:list.
• Manage the list of startup programs. The current list of startup programs can be retrieved using the command exe /c wmic /node:. /namespace:'\\root\cimv2' path win32_startupcommand get name,location /format:list.
• Control the victim’s browser remotely:
  - Start either browser present in the system (Chrome, Firefox):
  chrome.exe --new-window data:text/html,<title>Strigoi Browser</title> --mute-audio --disable-audio --window-position=[screen width - 5],[screen height - 100]
firefox.exe -new-window data:text/html,<title>Strigoi Browser</title>
- Hide the window with ShowWindow([hwnd], 0).
  - Set the window as a floating toolbar (the window won’t be displayed on the taskbar) with SetWindowLong([hwnd], -20, 128).
  - Unhide the window.
  - Transmit the browser page image to the C2 server.
  - Emulate mouse and keystrokes in the created browser window.
• Move the window to the coordinates 10,000, 10,000.
• Control remotely the target device’s screen through its own protocol that transfers the screen to the server side and the keystrokes to the victim side.
• Install a proxy for the compromised system.
• Download and run HRDP to establish a remote connection from the remote resource in the program memory. For this purpose, a new account is created with exe /c net user [username] [password] /add and the usernames on the authorization screen are hidden with cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v “dontdisplaylastusername” /t REG_DWORD /d 1 /f. The profile of the current browser is copied for the newly created account. The username is generated randomly and contains five characters. After the session terminates, the account is deleted with the sequence of commands:

cmd.exe /c net user [username] /delete
cmd.exe /c wmic /node:. /namespace:'\\\\root\cimv2' path win32_userprofile where "LocalPath='[username]'" delete
cmd.exe /c reg add HKLM\Software\Microsoft\CurrentVersion\Policies\System /v "dontdisplaylastusername" /t REG_DWORD /d 0 /f.

• Collect account data from the browsers Chrome, Firefox, Internet Explorer and the mail clients Foxmail, Outlook, Thunderbird.
• Restart the process with administrator privileges using verb runas.
• Encrypt and decrypt user files in the directories Downloads, Documents, and Desktop by applying the AES algorithm. The encrypted files receive a .crimson extension.

Indicators of compromise

e35370cb7c8691b5fdd9f57f3f462807b40b067e305ce30eabc16e0642eca06b

00172976ee3057dd6555734af28759add7daea55047eb6f627e5491701c3ec83

cb55cf3e486f3cbe3756b9b3abf1673099384a64127c99d9065aa26433281167

a6fb286732466178768b494103e59a9e143d77d49445a876ebd3a40904e2f0b0

25c622e702b68fd561db1aec392ac01742e757724dd5276b348c11b6c5e23e59

14ec3d03602467f8ad2e26eef7ce950f67826d23fedb16f30d5cf9c99dfeb058

ee113a592431014f44547b144934a470a1f7ab4abec70ba1052a4feb3d15d5c6

https://pastebin[.]com/raw/dFKy3ZDm:13570

https://pastebin[.]com/raw/dLzt4tRB:13569

https://pastebin[.]com/raw/dLzt4tRB:10101

https://pastebin[.]com/raw/YZLySxsv:20202

https://pastebin[.]com/raw/8umPhg86:13772

https://pastebin[.]com/raw/67b8GSUQ:13671

https://pastebin[.]com/raw/8umPhg86:13771

https://pastebin[.]com/raw/67b8GSUQ:13672

https://pastebin[.]com/raw/dLzt4tRB:13880

https://pastebin[.]com/raw/YZLySxsv:13881

91.92.240[.]188

185.196.10[.]116

MITRE ATT&CK

Detection

The BI.ZONE EDR rules below can help organizations detect the described malicious activity:

win_using_schtasks_to_create_suspicious_task
win_creation_task_that_run_file_from_suspicious_folder
win_access_to_paste_services_from_nonbrowsers
win_suspicious_security_software_discovery
win_using_standard_tool_to_create_new_user
win_possible_browser_stealer_activity

How to protect your company from such threats

Attacks similar to those by Bloody Wolf are not only critical to detect but also to neutralize before they affect the infrastructure. To protect your company against advanced threats, we recommend implementing endpoint detection and response practices; for instance, BI.ZONE EDR. The service enables early detection of attacks and immediate incident response, either automated or manual.

To stay ahead of threat actors, you need to be aware of the methods they use when attacking various infrastructures. Understanding the real threat landscape is a massive advantage against adversity. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current attacks, threat actors, their methods and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.