Delivering attacks through emails is so last century, or at least so seem to think the Watch Wolf group hackers who switched to spreading their malware through SEO poisoning. We discovered that they deliver the Buhtrap trojan through fake websites posing as legitimate resources for accountants. Context ads help to get the websites to the top of search results.
Our Cyber Threat Intelligence team unearths a series of attacks by the Watch Wolf hacker group. The malicious campaign aims to steal money from Russian companies by compromising their accountant workstations and withdrawing funds through online banking.
Watch Wolf first came up on the radar in 2021 and has been known since for spreading malware through phishing emails.
In their latest active campaign, which was launched last November at the earliest, the attackers shifted to a new tactic by employing the so-called search engine optimization (SEO) poisoning. This tactic implies that threat actors add keywords to malicious websites to increase their rankings and display as one of the first search results. Moreover, the poisoning can be further augmented with paid context ads.
Watch Wolf created websites mimicking legitimate accounting resources and containing downloadable documents. The hackers leveraged SEO poisoning techniques and context ads to propel the websites to the top of search results (figure 1).
Advance report form, download for free (translated from Russian)
Unsuspecting users believe that the search results are most relevant to their needs and navigate to one of these websites. Once there, they are offered an option to download the needed document in a common file format, such as .xls for Microsoft Excel:
Proforma invoice
Proforma invoice is a preliminary bill that includes a description of the goods or services to be supplied and the bank details of the seller. The bill is issued as a standalone document or an appendix to an agreement signed by the parties.
Download Proforma invoice form (translated from Russian)
Clicking the link triggers the download process. However, instead of the file promised on the page, the victim receives an SFX archive with malware. The archive resides on a server of the Discord instant messaging platform.
Running the downloaded file results in the installation of the DarkWatchman backdoor. It is a JS-based remote access tool (RAT) stored in the folder C:\Users\%имя_пользователя%\AppData\Local\ and launched with the help of wscript.exe, for instance:
wscript.exe "C:\Users\user\AppData\Local\c784477d0.js" add_key
add_key is the key for decrypting the body of the JS script.
To achieve a persistent presence in the compromised system, the malware creates a scheduled task in the Windows Registry to launch DarkWatchman every time the user logs in. If the user has admin permissions, the malware deletes shadow copies on installation by running the following command:
vssadmin.exe Delete Shadows /All /Quiet
The backdoor uses the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM for storing the configuration data. This key also stores the body of the keylogger encoded to a base64 string. Once launched, the backdoor runs a PowerShell script that compiles and executes the keylogger:
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkAT<redacted>
Using the Windows Registry and Windows Management Instrumentation tools, the backdoor collects information about the operating system version, computer and user names, time zone and language, and antivirus programs installed. This data is sent to the command and control (C2) server.
The backdoor enables threat actors to launch executables, load DLL files, run scripts through various interpreters, upload files, and update both the RAT and the keylogger.
DarkWatchman generates a C2 server address from the fragments present in the code. Twenty already generated domains are aided by 100 more domains, which are generated based on the current date and time in the UTC format, for example: Tue, 04 Apr 2023 13:21:56 GMT. The timestamp is used to get a salt, which concatenates with the salt present in the code and the serial number of the domain name to be generated. For instance, Tue,04Apr20234d5e2eb0{i}, where i is the serial number between 0 and 100. For each of them, a CRC32 checksum is calculated and converted into a HEX string. This produces 120 domain names. The resulting string is then added to an upper-level domain.
Usually, there are three or four such domains. That means that within 24 hours the malware can generate between 360 and 480 domain names, which can potentially be the addresses of the DarkWatchman C2 servers. Once an array of potential C2 servers has been generated, the backdoor starts searching for an active one by sending the victim’s UID in the HTTP request header and expecting to receive the same UID in response.
While investigating a range of incidents related to Watch Wolf attacks, we discovered that DarkWatchman was used by the hacker group as a dropper (delivery program) to infect the already compromised computers with the Buhtrap trojan and install additional modules, such as Virtual Network Computing (VNC). The latter enabled the attackers to remotely control the infected computers.
It is noteworthy that Buhtrap, which appeared in 2014, has also been used for administering attacks against accountants in different industries.
The amount of damage from such attacks depends on the size of victim organizations as well as on transactional restrictions associated with specific banking accounts. In some instances, the attackers were able to siphon off tens of millions of rubles per targeted organization. The overall financial damage stemming from Buhtrap activities is estimated at 7 billion rubles.
When Buhtrap was delivered through phishing emails, raising employee awareness seemed like the right approach to mitigate the threat. Its effectiveness against SEO poisoning though appears to be limited, calling for a technological safeguard, such as BI.ZONE Secure DNS. Each time you access an external network, your request will go to the BI.ZONE server, where it will be analyzed using black and white lists to prevent you from interacting with malicious content. BI.ZONE TDR offers another way to handle hazardous communications by oursourcing this task to a security operations center (SOC).
