Organizations in Kazakhstan are the target of the so-called threat cluster Blood wolf which delivers a malware product called LOSS (aka Master Strigoi).
“The program, which sells for as little as $80 on the underground resources, allows adversaries to take control of corporate computers and capture prohibited data,” – cyber security vendor BI.ZONE. said in a new analysis.
Cyberattackers use phishing emails as the initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other agencies to force recipients to open PDF attachments.
The file purports to be an incompatibility message and contains links to a malicious Java archive (JAR) file, as well as instructions for installing the Java interpreter required for the malware to function.
In an attempt to lend legitimacy to the attack, the second link points to a web page linked to the country’s government website, which urges visitors to install Java to ensure the portal works.
The STRRAT malware, hosted on a website impersonating the Kazakhstan government website (“egov-kz(.)online”), configures security on the Windows host by modifying the registry and executes a JAR file every 30 minutes.
Moreover, a copy of the JAR file is copied to the Windows startup folder to ensure that it starts automatically after a system reboot.
It then connects to the Pastebin server to retrieve sensitive information from the compromised machine, including information about the version of the operating system and installed antivirus software, as well as account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook and Thunderbird.
It is also designed to receive additional commands from the server to load and execute additional payloads, log keystrokes, execute commands using cmd.exe or PowerShell, restart or shutdown the system, install proxies, and remove itself.
“Using less common file types, such as JARs, allows attackers to bypass protections,” said BI.ZONE. “Using legitimate web services like Pastebin to communicate with a compromised system avoids network security solutions.”
