Fluffy Wolf sends out reconciliation reports to sneak into corporate infrastructures
The group has adopted a simple yet effective approach to gain initial access: phishing emails with an executable attachment. This way, Fluffy Wolf establishes remote access, steals credentials, or exploits the compromised infrastructure for mining.
The BI.ZONE Threat Intelligence team has detected a previously unknown cluster, dubbed Fluffy Wolf, whose activity can be traced back to 2022. The group uses phishing emails with password-protected archive attachments. The archives contain executable files disguised as reconciliation reports. They are used to deliver various tools to a compromised system, such as Remote Utilities (legitimate software), Meta Stealer, WarZone RAT, or XMRig miner.
Key findings
- Phishing emails remain an effective method of intrusion: at least 5% of corporate employees download and open hostile attachments.
- Threat actors continue to experiment with legitimate remote access software to enhance their arsenal with new tools.
- Malware-as-a-service programs and their cracked versions are expanding the threat landscape in Russia and other CIS countries. They also enable attackers with mediocre technical skills to advance attacks successfully.
The campaign
One of the latest campaigns began with the attackers sending out phishing emails, pretending to be a construction firm (fig. 1). The message titled Reports to sign had an archive with the password included in the file name.
The archive contained a file Akt_Sverka_1C_Doc_28112023_PDF.com
(a reconciliation report) that downloaded and installed Remote Utilities (a remote access tool) and launched Meta Stealer.
When executed, the malicious file performed the following actions:
- replicated itself in the directory
C:\Users\[user]\AppData\Roaming
, for example, asZnruogca.exe
(specified in the configuration) - created a
Znruogca
registry key with the value equal to the replicated file path, in the registry sectionHKCU\Software\Microsoft\Windows\CurrentVersion\Run
to run the malware after system reboot - launched the Remote Utilities loader that delivers the payload from the C2 server
- started a copy of the active process and injected Meta Stealer’s payload into it
The Remote Utilities installer is an NSIS (Nullsoft Scriptable Install System) that copies program modules to C:\ProgramData\TouchSupport\Bin
and runs the Remote Utilities executable—wuapihost.exe
.
Remote Utilities is a legitimate remote access tool that enables a threat actor to gain complete control over a compromised device. Thus, they can track the user’s actions, transmit files, run commands, interact with the task scheduler, etc. (fig. 2).
Meta Stealer is a clone of the popular RedLine stealer which is frequently used in attacks against organizations in Russia and other CIS countries. Among others, this stealer was employed by the Sticky Wolf cluster.
The stealer can be purchased on underground forums and the official Telegram channel (fig. 3)
A monthly subscription for the malware may cost as little as 150 dollars while a lifetime license can be purchased for 1,000 dollars. It is noteworthy that Meta Stealer is not banned in the CIS countries.
The stealer allows the attackers to retrieve the following information about the system:
- username
- screen resolution
- operating system version
- operating system language
- unique identifier (domain name + username + device serial number)
- time zone
- CPU (by sending a WMI request
SELECT * FROM Win32_Processor
) - graphics cards (by sending a WMI request
SELECT * FROM Win32_VideoController
) - browsers (by key enumeration in the register hives
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
andSOFTWARE\Clients\StartMenuInternet
) - software (by key enumeration in the register hives
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
) - security solutions (by sending WMI requests
SELECT * FROM AntivirusProduct
,SELECT * FROM AntiSpyWareProduct
andSELECT * FROM FirewallProduct
) - processes running (by sending a WMI request
SELECT * FROM Win32_Process Where SessionId='[running process session]'
) - keyboard layouts
- screenshots
Then it collects and sends the following information to the C2 server:
- files that match the mask specified in the configuration
- credentials and cookies from Chromium and Firefox-like browsers (browser paths are specified in the configuration)
- FileZilla data
- cryptocurrency wallet data (specified in the configuration)
- data from the VPN clients installed on the compromised device (NordVPN, ProtonVPN)
We were also able to link this cluster to some previous campaigns that used different sets of tools:
- a universal loader that spreads the payloads of the Remote Utilities installer and the Meta Stealer
- an installer with the Meta Stealer payload that downloads Remote Utilities from the C2 server
- the Remote Utilities installer only, without Meta Stealer
- WarZone RAT, another malware-as-a-service solution, instead of Remote Utilities
- a loader for Remote Utilities, Meta Stealer, and WarZone RAT in a single file
- a miner as an additional tool
Conclusions
The duration and variety of attacks conducted by clusters of activity such as Fluffy Wolf prove their effectiveness. Despite the use of fairly simple tools, the threat actors are able to achieve complex goals. This once again highlights the importance of threat intelligence. Having access to the latest data, companies can promptly detect and eliminate malicious activity at the early stages of the attack cycle.
Indicators of compromise
bussines-a[.]ru
3aaa68af37f9d0ba1bc4b0d505b23f10a994f7cfd9fdf6a5d294c7ef5b4c6a6a
794d27b8f218473d51caa9cfdada493bc260ec8db3b95c43fb1a8ffbf4b4aaf7
MITRE ATT&CK
More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.
How to protect your company from such threats
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.