Actor threats known as Paper paper There is an exclusive target on Russian entities with a new implant called Powermodul.
The activity, which took place between July to December 2024, nominated organizations in the media, telecommunications, construction, state structures and energy sectors, Caspersorski – Note In a new report published on Thursday.
Werewolf’s paper, also known as a corpse, is evaluated According to Bi.zone, he has conducted at least seven companies since 2022, and the attacks are mainly aimed at the government, energy, financial, media and other organizations.
Attack chains set by the actor threats were also observed, including the devastating component in which the invasion goes beyond the distribution of malware for spying purposes to also change the passwords belonging to the staff accounts.
The attacks themselves are initiated through phishing Force.
Malicious software designed for delivery useful load to the next stage, often custom version Mythical A framework agent known as Powertaskel and QWAKMYAGENT. Another instrument in the actor’s arsenal threatening is the harmful module IIS called Before beingused to obtain Microsoft Outlook credentials, entered by users on the web client.
The latest set of attacks recorded by the Caspersorski begins with the malicious attachment of the RAR archive, which contains a executed file, which is masked as a PDF or a Word document using double expansion (ie, *.pdf.exe or *.doc.exe). When running the executable file, the bait file is loaded from the remote server and is shown to the user, and the infection goes to the next stage in the background.
“The file itself is a file of Windows (Explorer.exe or XPSRHVW.exe), with part of its code, fixed with an angry shell,” the message reads. “Shellcode is similar to what we saw in previous attacks, but in addition contains a confused mythical agent who immediately begins to communicate with the server team and control (C2).
The alternative attack sequence is much more complicated by using the RAR archive that built a Microsoft Office document with a macro that acts as a drip for deployment and launching Powermodul, a PowerShell scenario capable of receiving and making additional PowerShell scenarios from the C2 server.
It is said that the back has been used since the beginning of 2024, and the threat subjects initially used it to download and execute Powertaskel on compromised hosts. Some other useful loads dropped by PowerModul, below –
- FlashfileGrabberused for theft of files in removable media
- Flashfilegrabberof1.
- USB Wormwho is able to infect the removable environment copy of PowerModul
Powertaskel is functionally similar to Powermodul by the fact that it is also designed to launch the PowerShell scripts sent by the C2 server. But, in addition, it can send information about the purposeful environment in the form of the “Checkin” message, as well as perform other teams obtained from the C2 server as tasks. It is also equipped for the escalation of privileges using PSEXEC utility.
At least in one case, Powertaskel revealed that it receives a script with a folder component, which, in addition to repeating FlashfileGrabber’s features, includes the ability to collect files from remote systems through the hard network path using the SMB protocol.
“For the first time, they used documents with words with harmful VBA scenarios for the original infection,” Kaspersky said. “Recently, we have watched that Goffa has increasingly refusing to use Powertaskel in favor of a binary mythical agent during side motion.”
Development comes as Bi.zone attributed Another threat group is called Sapphire werewolf to a phishing company that distributes the updated version of Amethyst theft with open source.
The theft gets “powers from Telegram and various browsers, including Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa and Edge Chromium, as well as Filezilla configuration files,” the Russian company said, Media.
