Venture Wolf attempts to disrupt Russian businesses with MetaStealer
BI.ZONE Threat Intelligence has discovered a previously unknown cluster whose activity can be traced back to November 2023. Dubbed Venture Wolf, the cluster employs multiple loaders to deliver MetaStealer to the target systems. The threat actor focuses on a range of industries including manufacturing, construction, IT, and telecommunications.
Key findings
- Stealers maintain their position among the most popular types of malware employed by threat actors.
- As there are no “developer” restrictions on the use of certain malware programs against Russian companies, such programs gain higher recognition among various clusters of malicious activity.
- The authentication material obtained in the course of MetaStealer-based campaigns can be used later to undertake more complex targeted attacks against the compromised organizations.
Campaign
Venture Wolf disseminates archives containing a loader with the .com
(and occasionally.exe
) extension, as well as one or more phishing documents. After the launch, the loader either creates a dummy .NET file where it injects the malicious payload or injects it into the RegAsm.exe
process.
The adversaries use various image (JPG and PNG) and text (PDF, DOC/DOCX, and ODT) files as decoys.
The loaders are portable executable (PE) files. Their code is obfuscated, and the names of the WinAPI functions — employed for malicious code injections — are encrypted. Depending on the loader’s type, the malicious payload and the dummy .NET file are RC4-encrypted and stored in the loader’s body. In most cases, the malicious payload is injected into the suspended process of the running dummy .NET file. It is worth mentioning that some loaders do not have a dummy file and inject the malicious payload into the RegAsm.exe
process.
Depending on the loader’s type, the payload is decrypted and a randomly named dummy .NET file is created in the %TEMP%
folder. The name is generated arbitrarily from the alphabet sequence set in the loader. Thus, the dummy .NET file name may contain Chinese characters. Notably, the dummy file does not contain any code in the Main
function.
The names of the WinAPI functions (namely, CreateProcessW
, VirtualAllocEx
, WriteProcessMemory
, Wow64SetThreadContext
/SetThreadContext
, ResumeThread)
used for injecting the code into the running process are decrypted.
The MetaStealer malicious payload is also decrypted and injected into the process.
The injection of the malicious payload code goes as follows:
CreateProcessW
сdwCreationFlags
=0x00000004
(CREATE_SUSPENDED
) creates the process in the suspended mode of either the dummy .NET file orRegAsm.exe
VirtualAllocEx
allocates memory in the suspended processWriteProcessMemory
writes the malicious payload into the allocated memory sectionWow64SetThreadContext
/SetThreadContext
changes the thread context to set the entry point for the execution of the injected malicious payloadResumeThread
resumes the suspended process (transfers control over to the malicious payload)
We have also discovered multiple loaders with section names typical for various protectors: Enigma (.enigma1
, .enigma2
), VMProtect (.vmp0
, .vmp1
), Themida (.themida
).
However, such loaders are not defended by any of the mentioned protectors. This technique may be used to deceive the signature analysis tools or antivirus engines into issuing favorable verdicts.
The adversaries use MetaStealer as the payload. Written in C#, this malware is a fork of RedLine, yet another stealer. The key difference between the two is that MetaStealer’s developers do not prohibit its use in attacks against Russian and other CIS organizations.
When running, MetaStealer does the following:
- collects information about the compromised system, including the OS version and hardware specifications (hard disk, processor, and video controller specifications)
- retrieves data from a wide range of browsers, such as Edge, Chromium, Google Chrome, Opera, CentBrowser, Chedot, Vivaldi, Kometa, Yandex Browser, Sputnik Browser, Mozilla Firefox, etc.
- steals crypto wallet data from Electrum Bitcoin Wallet, Exodus Crypto Wallet, BTC, Electron, etc.
- retrieves data from such email clients as Mozilla Thunderbird
- obtains data from multiple applications, such as Steam and FileZilla
Notably, Venture Wolf uses the .NET Reactor protector to obfuscate the MetaStealer code.
Indicators of compromise
155e444417cc138633bdbf2e95834165ef7295290f6da58a1cce3171b61ce2b4
26e0c7319a7f9c3ef6f65f8e585adcc3653c75ea231d87f63182b44cea5b13a1
ab3ed0ffb87999202eb96a163cd50d4f5bd495f5bb09c09efec99b4d8b7abb94
e970ace468aafefe060c00f948098f19e4f7d63ec893a14012a1721b8b208ddb
d5c65e8217250cc4c1d8e762fa7102f14c243f28190d56f3e7f343c5fed7c8b2
e58ff527e1f5775cd2c64ba1c46b8e70102f354cf1f3454c40efaa1b4cbb40d2
e6372b17f1ad0887cb0f77beea5bcb6a16822449304b894641031dc407158cca
bd7cdafc28e0d62cc85ab7e04e7b38e62414ef59d717b2c6f96d4c4490687f8e
5045a339e6162d0f1d028c9b3ffd52f0f4b51e40a6d3070f38f343102efad587
9fb6e7c76771c3d193e94af0c868f2e6ca7e6d864b03e2c20fb115d7554bbde7
7bacab7505d3cf673ba1c5c70bea697e5ad1af2142e9e7c1c5a1e2ecab24e479
702dba8240bca174ef525002da51ce1b478aa5dd165a8e4033cfd17c8f7a761f
6c43a06756179650fcbd257cf8221c9d99f9aa1da4b7014edb20ef5c8d160909
477ff2f8bdbfbea420e16a37704b896c4dfe6d7ec5bc9a070f42a4d94e0bb97a
c222ace386b09a505a9afc71d47f035ca957b288a9d61b375d6ef439098dbd46
193.233.255[.]122:2314
147.45.47[.]185:41702
147.45.47[.]153:3605
147.45.47[.]83:7622
77.91.68[.]6:2314
MITRE ATT&CK
Detection
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_unsigned_file_with_com_extension_was_executed
win_discovery_system_information
win_possible_browser_stealer_activity
win_suspicious_access_to_software_sensitive_files
gen_ti_wolfs_network_ioc_was_detected
gen_ti_wolfs_hash_was_detected
How to protect your company from such threats
Phishing emails are a popular way of breaching the security perimeter of organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of legitimate messages.
To stay ahead of threat actors, you need to understand their methods and tools and take this information into account when assessing the threat landscape of your organization. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. It provides information about the current attacks, threat actors, their tactics, techniques, and tools. This data helps to ensure the precision of your security solutions, which in turn accelerates incident response and protects your company from the most critical threats.