Cloud Werewolf spearphishes for government employees in Russia and Belarus with fake spa vouchers and federal decrees

The attackers use phishing emails with seemingly legitimate documents and evade defenses by hosting the malicious payload on a remote server and limiting its downloads.

The BI.ZONE Threat Intelligence team has revealed another campaign by Cloud Werewolf aiming at Russian and Belarusian government organizations. According to the researchers, the group ran at least five attacks in February and March. The adversaries continue to rely on phishing emails with Microsoft Office attachments. Placing malicious content on a remote server and limiting the number of downloads enables the attackers to bypass defenses.

Key findings

1. Cloud Werewolf leverages topics that appeal to its targets to increase the likelihood that the malicious attachments get opened.
2. The IT infrastructure of government organizations provides ample opportunities for adversaries to exploit even the old vulnerabilities. This is just another reminder of how crucial it is to proactively remediate vulnerabilities, especially those used in real attacks.
3. Placing the malicious payload on a remote server rather than inside of an attachment increases the chances to bypass the defenses.

Campaign

Cloud Werewolf uses Microsoft Office documents with information targeting employees of government organizations. For instance, the file titled Путевки на лечение 2024.doc contains information on spa vouchers.

Excerpt from Путевки на лечение 2024.doc

Another document is a federal agency decree titled Приказ [redacted] № ВБ-52фс.doc.

Excerpt from Приказ [redacted] № ВБ-52фс.doc

Yet another document Инженерная записка.doc lists the requirements to an engineering memo for public works.

Excerpt from Инженерная записка.doc

Opening the attachment triggers the transfer of a document template from a remote source, such as https://triger-working[.]com/en/about-us/unshelling. The template is an RTF file that enables the attackers to exploit the CVE-2017-11882 vulnerability.

The successful exploitation and the execution of the shell code allow the adversaries to do the following:

• decrypt the malicious payload within the shell code with the help of a 2-byte key XOR operation
• download an HTA file with a VBScript from a remote server and open the file

The script triggers actions that:

• reduce the size of the window and move it outside the screen boundaries
• retrieve the path to the AppData\Roaming folder by means of obtaining the value of the APPDATA parameter of the HKCU\Volatile Environment registry key
• create the rationalistic.xml file and write the following files to its alternate data streams:
  — rationalistic.xml:rationalistic.hxn, the file with malicious payload for connecting to the C2 server
  — rationalistic.xml:rationalistic.vbs, one of the files responsible for decrypting and executing the malicious payload
  — rationalistic.xml:rationalisticing.vbs, another file responsible for decrypting and executing the malicious payload
  — rationalistic.xml:rationalisticinit.vbs, the file responsible for purging all the files in the folder C:\Users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\ and in rationalistic.xml:rationalisticinit.vbs and rationalistic.xml:rationalisticing.vbs by opening the files in write mode.
• enable the autorun of rationalistic.xml:rationalistic.vbs by creating the defragsvc parameter with the value wscript /B “[path to the file rationalistic.xml:rationalistic.vbs]” in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• run rationalistic.xml:rationalisticing.vbs and rationalistic.xml:rationalisticinit.vbs with the help of the command wscript /B “[path to the file]”

By decrypting the malicious payload the adversaries can:

• obtain an object of interaction with network resources by accessing the registry hive CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}\ProgID
• use the proxy server whose address was retrieved from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
• verify the presence of the defragsvc parameter in HKCU\Software\Microsoft\Windows\CurrentVersion\Run and create it if missing
• stay connected to the server in an infinite loop

To obtain additional VBS files from the C2 server, the attackers send a GET request to the server’s address (e.g., https://web-telegrama[.]org/podcast/accademia-solferino/backtracker) with the header User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) [domain name] Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0"=" Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0. The device's domain is retrieved from the USERDOMAIN parameter of the HKCU\Volatile Environment registry key. Files under 1 MB are executed in the program memory, otherwise saved to the file rationalistic.xml:rationalisticinit.vbs and launched with the help of wscript /B “[path to the file rationalistic.xml:rationalisticinit.vbs]”. If executed from rationalistic.xml:rationalisticing.vbs, the name will be rationalistic.xml:rationalisticinginit.vbs. After execution, the file is purged by being opened in write mode.

If rationalistic.xml:rationalistic.tmp (or rationalistic.xml:rationalisticing.tmp, depending on the active file) is available, the specified file is sent to the C2 server through a POST request. After sending, the file is purged by being opened in write mode.

More about Cloud Werewolf

• The cluster has been active since at least 2014 and also known as Inception and Cloud Atlas.
• Cloud Werewolf is a state-sponsored threat actor focused on spying.
• Attacks mostly government, industrial, and research organizations in Russia and Belarus.
• At the post-exploitation stage, Cloud Werewolf can employ unique tools, such as PowerShower and VBShower, as well as Python scripts.
• Uses LaZagne to receive authentication data.
• Uses Advanced IP Scanner to gather information about remote systems.
• Uses AnyDesk as a backup channel to access compromised IT infrastructures.
• Uses RDP and SSH to advance in compromised IT infrastructures.
• Uses 7-Zip to archive the files retrieved from the compromised systems.
• Deletes C2 server communication entries (e.g., from proxy server logs).

Indicators of compromise

• 5af1214fc0ca056e266b2d093099a3562741122f32303d3be7105ce0c2183821
• b4c0902a9fb29993bc7573d6e84547d0393c07e011f7b633f6ea3a67b96c6577
• 9d98bd1f1cf6442a21b6983c5c91c0c14cd98ed9029f224bdbc8fdf87c003a4b
• serverop-parametrs[.]com
• triger-working[.]com
• web-telegrama[.]org

MITRE ATT&CK

More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.

How to protect your company from such threats

Cloud Werewolf’s methods of gaining persistence on endpoints are hard to detect with preventive security solutions. Therefore we recommend that companies enhance their cybersecurity with endpoint detection and response practices, for instance, with the help of BI.ZONE EDR.

To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.