Scaly Wolf uses White Snake stealer against Russian industry

BI.ZONE
10 min readFeb 2, 2024

--

The group, which has been on the radar since the summer of 2023, conducted several phishing campaigns using Russian regulatory body and law enforcement identities.

The BI.ZONE Threat Intelligence team has identified at least a dozen campaigns linked to Scaly Wolf. The impact spreads across organizations from various industries in Russia, including manufacturing and logistics.

One of the group’s characteristics in gaining initial access is their phishing emails designed to look like legitimate correspondence from Russian public authorities. Its phishing arsenal includes regulatory requirements and inquiries from Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media), the Investigative Committee, and the Military Prosecutor’s Office, court orders, and other regulatory prescriptions. In rare cases, attackers disguise the letters as sales proposals. It should be noted that in all cases, the text from the email sounds official and well put together, which makes the mailing convincing, builds user trust, and encourages the user to launch a malicious attachment. The attack results in the system being infected with the White Snake stealer and the subsequent theft of corporate data. We wrote about this earlier.

Key findings

  1. Stealers remain one of the most popular types of malware distributed by attackers. Many of them now have additional features, which allows stealers to be used effectively for targeted and sophisticated attacks.
  2. The malware-as-a-service model enables the attackers to avoid wasting time on developing malware and just get the finished product. Similar to legitimate software, cracked versions of commercial malware often end up in the public domain.
  3. Despite the bans by many developers to distribute their malware in Russia and other CIS countries, attackers find ways to modify and use it in these regions. This once again emphasizes the importance of monitoring underground networks in order to identify such threats before they are implemented against Russian organizations.

The malware

As mentioned earlier, White Snake is the weapon of choice for Scaly Wolf, which is certainly another distinctive characteristic of the group. The stealer first surfaced in February 2023 on the darknet as a tool for targeted attacks. White Snake is also distributed through a dedicated channel in Telegram.

The stealer can cost as little as $140 per month. In addition, adversaries do not even need experience in operating it. Therefore, an attack with this malware can be made as easy as renting it. This generates a high demand for the program. The ability to rent or purchase this class of malware significantly reduces the level of expertise required for attackers to execute targeted attacks.

White Snake can be run cross-platform using a downloader written in Python. On the Windows platform, the stealer implements the following features:

  • Remote access trojan
  • XML-based customization
  • Keylogger for stealing keystroke data

A successful attack can allow the adversary to gain access to multiple corporate resources, such as a mail server and a CRM. The malware can collect authentication data (passwords stored in browsers and other applications, cryptocurrency wallet data), copy files, record keystrokes, and remotely access the compromised device. Besides, the stealer uses the Serveo.net service for SSH access to the infected machine, enabling the criminal to execute commands on the compromised host, including the download of additional modules for post-exploitation tasks. Another feature of White Snake is to send notifications about newly infected devices to the Telegram bot.

With the appearance of White Snake on the black market, BI.ZONE Threat Intelligence began to monitor its activity online and its use against various organizations. Despite all the prohibitions to employ the stealer against the CIS countries, attacks on Russian organizations have been detected. The discovered activity clearly showed a similar set of tactics, techniques, and procedures (TTPs), which is why some of the attacks involving White Snake were attributed to the Scaly Wolf group. A distinctive approach for the group is to send phishing emails that are similar in design and pose as genuine government correspondence. Another typical characteristic is that the malware is almost always in a protected ZIP archive, with the password contained in the archive file name. For example, Требование CK от 08.08.23 ПАРОЛЬ — 123123123.zip (the password being 123123123).

Campaign timeline

June

Scaly Wolf first made itself known in June 2023, targeting Russian organizations under the guise of a Roskomnadzor requirement. Back then, the BI.ZONE Threat Intelligence team paid close attention to the White Snake activity and later began tracking the group behind it. As part of the campaign, the victim received a phishing email with an attached archive Требование Роскомнадзор № 02-12143(пароль-12121212).rar (a Roskomnadzor requirement) containing the following files:

  • Требование РОСКОМНАДЗОР № 02-12143.odt
  • Attachment to the Roskomnadzor requirement
  • РОСКОМНАДЗОР.png

The first file (fig. 1) is a phishing document that aims to lure the victim into opening the second file, which is the White Snake stealer.

Fig. 1. Text from the phishing document

July

We identified a new White Snake phishing email purportedly from the Investigative Committee of the Russian Federation. The subject line of the email (fig. 2) mentioned a criminal investigation related to a tax evasion (Investigative Committee inquiry in connection with a tax evasion investigation). Attached to it was a password-protected archive Запрос ГСУ СК РФ Уклонение от налогов № 7711 от 18.07.2023 пароль 12121313.zip (a tax evasion inquiry from the Investigative Committee). Inside were the following documents:

  • Права и обязанности и процедура ст. 164, 170, 183 УПК РФ.rtf (the rights, obligations, and procedure under the Criminal Procedure Code of the Russian Federation)
  • Перечень предприяти, уклонения от уплаты налогов, банковские счета, суммы уклонения, схема.exe (details about organizations suspected of tax evasion)

Like in the June campaign, the second file was masked as an attachment to a harmless document, although in fact it was the stealer.

Fig. 2. Text from the phishing email

August

The criminals continued to push the Investigative Committee ploy. On August 7, a new email was found to distribute White Snake under the pretense of sharing a requirement from the Investigative Committee (fig. 3). The following archives were attached to the mailing:

  • Требование CK от 08.08.23 ПАРОЛЬ — 123123123.zip
  • Требование CK от 07.08.23 ПАРОЛЬ — 12312312.zip

The archives also contained documents like Требование CK от 07.08.23 ПАРОЛЬ — 12312312\ГCУ CK PФ запрос.docx (an Investigative Committee inquiry) and an executable file Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe (legal entities and individuals suspected of evasion, sums of evasion).

Fig. 3. Text from a phishing document

September

On September 1, we detected a new wave of White Snake attacks. The adversaries decided to move away from scary topics related to Roskomnadzor or the Investigative Committee, at least temporarily. This time the letters were sent out under the guise of a sales proposal. A potential victim would receive a phishing email with a password-protected archive that could have the following names:

  • КП от 01.09.23 (Пароль к архиву — 121212).zip (a sales proposal with the archive password)
  • КП от 01.09.23 (пароль к архиву — 121212).rar (a sales proposal with the archive password)
  • КП 12119- тех.док.rar (a sales proposal)

In the September 6 mailing, the archive still contained a malicious executable disguised as a document attachment. However, on September 12, the file had the CMD extension:

C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa1872.39116\SP 12119- tech.doc.cmd" "

October

The Scaly Wolf group decided to continue distributing emails with intimidating content. Starting from October 2, they went back to sending phishing emails on behalf of the Investigative Committee. The emails talked about a criminal investigation, among them, the following subject lines:

  • Investigation inquiry in connection with criminal case №11091007706001194, Russia’s Investigative Committee
  • Investigation inquiry in connection with criminal case №11091007706001194, the Investigative Committee of the Russian Federation
  • Investigation requirement under criminal case №11091007706011194, Russia’s Investigative Committee
  • Investigation inquiry under criminal case №11091007706011194, the Investigative Committee of the Russian Federation

The letter was accompanied by a PDF Запрос следователя (уклонение от уплаты налогов) — копия.pdf (an investigator's tax evasion inquiry) designed to divert the victim’s attention (fig. 4). It stated that the addressee should appear before the Investigative Committee for questioning as a witness in a forged documents case.

Like previously, the malicious executable file (fig. 5) was located together with the benign documents in the archive.

In addition to this file, there was an archive called Трeбoвaниe 19098 СК РФ от 07.09.23 ПАРОЛЬ — 123123123.zip (another requirement of the Investigative Committee) with the White Snake stealer under the following file names:

  • Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe (legal entities and individuals suspected of tax evasion, sums of evasion)
  • Перечень юридических лиц и предприятий, уклонение от уплаты налогов, требования и дополнительные материалы.exe (details about legal entities and enterprises suspected of tax evasion)
Fig. 4. Attachments to a phishing email
Fig. 5. Phishing document

On October 16, a similar email was discovered also containing a PDF file and an archive (fig. 6).

Fig. 6. Phishing email with attachments

November

Throughout November, we continued to come across new malicious email campaigns with the White Snake stealer. For example, on November 2, the group started distributing emails informing potential victims about a court order. However, the attackers did not use an archive and immediately attached the executable file Постановление о производстве выемки и прилагаемые к запросу материалы.exe (an order of seizure and the materials relevant to the inquiry).

On November 13, the threat actors returned to their tested method of phishing and social engineering; namely, sending emails disguised as requirements from the Investigative Committee. Just as before, a victim received a password-protected archive named Трeбoвaниe 19225 СК РФ от 31.10.2023 ПАРОЛЬ — 11223344.zip (an Investigative Committee requirement) (fig. 7), which in turn contained more documents and the executable file Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe (legal entities and individuals suspected of evasion, sums of evasion).

Fig. 7. Attachments to phishing email

That same month, on November 20, we discovered a new email trying to conceal the White Snake stealer as regulatory documents. This time, the attackers asked to provide supplements for a contract attached to the email. In actual fact, the attachment contained an archive with an executable PE file inside (fig. 8).

Fig. 8. Text from the phishing email

January 2024

After a short break in December, the group returned in early 2024. While earlier the attackers pretended to be the Investigative Committee of the Russian Federation and Roskomnadzor, the new campaign was crafted around the Military Prosecutor’s Office of the Russian Federation. The subject lines in this campaign went as follows:

  • Seizure pursuant to the investigation of criminal case №111801400013001322, the Military Prosecutor’s Office of the Russian Federation
  • Requirement pursuant to the investigation of criminal case №111801400013001322 MPO RF
  • Seizure pursuant to the investigation of criminal case №111801400013001322 MPO RF

Figure 9 shows the email enclosed with an archive named Постановление о производстве выемки (ЄЦП) — пароль 1628.zip (an order of seizure), which contained the document Права и обязанности и процедура ст. 164, 170, 183 УПК РФ.rtf (the rights, obligations, and procedure under the Criminal Procedure Code of the Russian Federation), and the executable file Постановление о производстве выемки (электронная цифровая подпись).exe (an order of seizure).

Fig. 9. Attachments to the phishing email

Conclusions

We continue to witness a growing threat from various cybercriminal groups around the world, and this is no less true for the Russian region. Meanwhile, on the black market, the malware is becoming more affordable to lesser qualified adversaries, which only contributes to the flurry of threat actors and an increase in the number of targeted attacks. Scaly Wolf is one such group that our threat intelligence has been tracking for more than half a year.

Through their continuous dissemination of the White Snake stealer, the group is beginning to pose a serious threat to Russian business. Moreover, the fact that the attackers repeatedly send emails under the guise of public authorities, especially the Investigative Committee, indicates that their scheme is working and their campaigns are successful. Judging by the attacks already carried out in January 2024, Scaly Wolf will continue its attempts to compromise Russian companies and may remain out on the hunt for quite some time.

Indicators of compromise

  • 135.181.98.45
  • 164.132.115.9
  • 18.218.18.183
  • f3224cff0d7d5a9487dd405aa53217992c4a11616cc9990ce1745bc1b008c3fe
  • d18aa5d58656fffd7a2a0a3d7f6f4e011bf0f39b8f89701b0e5263951e1ce90c
  • 7721e208d790b836c4ae2ac3e7dde1ff799953e62932d9e418acfeecfcff43ca
  • ebbefe31a1486ed1a2f70538380dc899c2b0d704028cde9ba4dbf64b91293e3a
  • 8294f2ac1971d55b08b3cbed419929c24998d986b8d4ab5a126f6a901646ef99
  • f076bc181ea521bb494b799203945af4f2db1635b20cef395ad67819dd397f7b
  • 123aaddb10f1715bff99617342df9cec7bb68d61abbc502f18938a7dcf0a4216
  • 5f227b976bd5303358e28a62103b7cc15210efdfa640b8e754f757690a716edb
  • 43eb634a7c80730889d64e6b13987a5bb4068dd463bc728db08d1eba3499d8d1
  • 56393c8cbea881f8382d195682787254bb576cc4b370410eb94fd93a00a82ee8

More information, including indicators, threat actor description, TTPs, and tools are available on BI.ZONE Threat Intelligence.

MITRE ATT&CK

How to protect your company from such threats

Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.

To better understand the current cyber threat landscape and realize exactly how infrastructures similar to yours are being attacked, we recommend leveraging the data from BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.

--

--

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age