Venture Wolf attempts to disrupt Russian businesses with MetaStealer

BI.ZONE
5 min readNov 5, 2024

--

BI.ZONE Threat Intelligence has discovered a previously unknown cluster whose activity can be traced back to November 2023. Dubbed Venture Wolf, the cluster employs multiple loaders to deliver MetaStealer to the target systems. The threat actor focuses on a range of industries including manufacturing, construction, IT, and telecommunications.

Key findings

  • Stealers maintain their position among the most popular types of malware employed by threat actors.
  • As there are no “developer” restrictions on the use of certain malware programs against Russian companies, such programs gain higher recognition among various clusters of malicious activity.
  • The authentication material obtained in the course of MetaStealer-based campaigns can be used later to undertake more complex targeted attacks against the compromised organizations.

Campaign

Venture Wolf disseminates archives containing a loader with the .com (and occasionally.exe) extension, as well as one or more phishing documents. After the launch, the loader either creates a dummy .NET file where it injects the malicious payload or injects it into the RegAsm.exe process.

The adversaries use various image (JPG and PNG) and text (PDF, DOC/DOCX, and ODT) files as decoys.

Company record.pdf
Company bank details.jpg
Individual entrepreneur record.png

The loaders are portable executable (PE) files. Their code is obfuscated, and the names of the WinAPI functions — employed for malicious code injections — are encrypted. Depending on the loader’s type, the malicious payload and the dummy .NET file are RC4-encrypted and stored in the loader’s body. In most cases, the malicious payload is injected into the suspended process of the running dummy .NET file. It is worth mentioning that some loaders do not have a dummy file and inject the malicious payload into the RegAsm.exe process.

Depending on the loader’s type, the payload is decrypted and a randomly named dummy .NET file is created in the %TEMP% folder. The name is generated arbitrarily from the alphabet sequence set in the loader. Thus, the dummy .NET file name may contain Chinese characters. Notably, the dummy file does not contain any code in the Main function.

The names of the WinAPI functions (namely, CreateProcessW, VirtualAllocEx, WriteProcessMemory, Wow64SetThreadContext/SetThreadContext, ResumeThread)used for injecting the code into the running process are decrypted.

The MetaStealer malicious payload is also decrypted and injected into the process.

The injection of the malicious payload code goes as follows:

  • CreateProcessW с dwCreationFlags = 0x00000004 (CREATE_SUSPENDED) creates the process in the suspended mode of either the dummy .NET file or RegAsm.exe
  • VirtualAllocEx allocates memory in the suspended process
  • WriteProcessMemory writes the malicious payload into the allocated memory section
  • Wow64SetThreadContext/SetThreadContext changes the thread context to set the entry point for the execution of the injected malicious payload
  • ResumeThread resumes the suspended process (transfers control over to the malicious payload)

We have also discovered multiple loaders with section names typical for various protectors: Enigma (.enigma1, .enigma2), VMProtect (.vmp0, .vmp1), Themida (.themida).

Section names in one of the loaders

However, such loaders are not defended by any of the mentioned protectors. This technique may be used to deceive the signature analysis tools or antivirus engines into issuing favorable verdicts.

The adversaries use MetaStealer as the payload. Written in C#, this malware is a fork of RedLine, yet another stealer. The key difference between the two is that MetaStealer’s developers do not prohibit its use in attacks against Russian and other CIS organizations.

When running, MetaStealer does the following:

  • collects information about the compromised system, including the OS version and hardware specifications (hard disk, processor, and video controller specifications)
  • retrieves data from a wide range of browsers, such as Edge, Chromium, Google Chrome, Opera, CentBrowser, Chedot, Vivaldi, Kometa, Yandex Browser, Sputnik Browser, Mozilla Firefox, etc.
  • steals crypto wallet data from Electrum Bitcoin Wallet, Exodus Crypto Wallet, BTC, Electron, etc.
  • retrieves data from such email clients as Mozilla Thunderbird
  • obtains data from multiple applications, such as Steam and FileZilla

Notably, Venture Wolf uses the .NET Reactor protector to obfuscate the MetaStealer code.

Indicators of compromise

  • 155e444417cc138633bdbf2e95834165ef7295290f6da58a1cce3171b61ce2b4
  • 26e0c7319a7f9c3ef6f65f8e585adcc3653c75ea231d87f63182b44cea5b13a1
  • ab3ed0ffb87999202eb96a163cd50d4f5bd495f5bb09c09efec99b4d8b7abb94
  • e970ace468aafefe060c00f948098f19e4f7d63ec893a14012a1721b8b208ddb
  • d5c65e8217250cc4c1d8e762fa7102f14c243f28190d56f3e7f343c5fed7c8b2
  • e58ff527e1f5775cd2c64ba1c46b8e70102f354cf1f3454c40efaa1b4cbb40d2
  • e6372b17f1ad0887cb0f77beea5bcb6a16822449304b894641031dc407158cca
  • bd7cdafc28e0d62cc85ab7e04e7b38e62414ef59d717b2c6f96d4c4490687f8e
  • 5045a339e6162d0f1d028c9b3ffd52f0f4b51e40a6d3070f38f343102efad587
  • 9fb6e7c76771c3d193e94af0c868f2e6ca7e6d864b03e2c20fb115d7554bbde7
  • 7bacab7505d3cf673ba1c5c70bea697e5ad1af2142e9e7c1c5a1e2ecab24e479
  • 702dba8240bca174ef525002da51ce1b478aa5dd165a8e4033cfd17c8f7a761f
  • 6c43a06756179650fcbd257cf8221c9d99f9aa1da4b7014edb20ef5c8d160909
  • 477ff2f8bdbfbea420e16a37704b896c4dfe6d7ec5bc9a070f42a4d94e0bb97a
  • c222ace386b09a505a9afc71d47f035ca957b288a9d61b375d6ef439098dbd46
  • 193.233.255[.]122:2314
  • 147.45.47[.]185:41702
  • 147.45.47[.]153:3605
  • 147.45.47[.]83:7622
  • 77.91.68[.]6:2314

MITRE ATT&CK

Detection

The BI.ZONE EDR rules below can help organizations detect the described malicious activity:

  • win_unsigned_file_with_com_extension_was_executed
  • win_discovery_system_information
  • win_possible_browser_stealer_activity
  • win_suspicious_access_to_software_sensitive_files
  • gen_ti_wolfs_network_ioc_was_detected
  • gen_ti_wolfs_hash_was_detected

How to protect your company from such threats

Phishing emails are a popular way of breaching the security perimeter of organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of legitimate messages.

To stay ahead of threat actors, you need to understand their methods and tools and take this information into account when assessing the threat landscape of your organization. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. It provides information about the current attacks, threat actors, their tactics, techniques, and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.

--

--

BI.ZONE
BI.ZONE

Written by BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age