Researchers report that the hack group Mysterious Werewolf, active since 2023, is now using its own tools to attack the Russian military-industrial complex. Previously, hackers used the Athena agent of the Mythic framework, a legitimate pentester tool, to attack.
Company BI.ZONE reports that some time ago, foreign researchers talked about a new group that affected several Russian semiconductor suppliers. The company's researchers are also monitoring this cluster of activity, dubbed Mysterious Werewolf. And now they have discovered another attack by the group: this time, manufacturing organizations in Russia were targeted.
Advertisement
The attackers impersonated the Ministry of Industry and Trade of the Russian Federation, and their phishing emails contained archives named Pismo_izveshcanie_2023_10_16.rar, which exploited the CVE-2023-38831 vulnerability in WinRAR, discovered last summer.
Thus, the archive contained a PDF document, as well as a folder with a malicious CMD file. After opening the archive and clicking on the document, the exploit launched the CMD file. Accordingly, WinRAR.exe launched cmd.exe to execute the malicious CMD file.
In turn, the CMD file executed the following PowerShell script:
According to the researchers, the script is obfuscated and performs the following actions:
Advertisement
- downloads a PDF document (Pismo_Rassylka_Ministerstva_promyshlennosti.pdf, the contents of which are shown in the illustration below) from cloudfare(.)webredirect(.)org and opens it;
- downloads the Athena agent from cloudfare(.)webredirect(.)org and saves it as C:Users(redacted)AppDataLocalMicrosoftWindowsFontsMikrosoftEdge.exe;
- creates a task in the Windows Scheduler to run the agent every 10 minutes:
schtasks /crEaTE /Sc mINUTE /mo 10 /TN “Microsoft Edge” /Tr C:Users(redacted)AppDataLocalMicrosoftWindowsFontsMikrosoftEdge.exe /f.
Experts remind you that Mythic C2 is a cross-platform collaboration framework for pentesters. It allows the operator to perform various actions in a post-exploitation context: interact with the compromised system's file system, upload and download files, execute commands and scripts, scan the network, and so on.
But while hackers previously relied on using Mythic, Mysterious Werwolf now combines its use with its own malware. Thus, the original RingSpy backdoor was installed on victims’ devices, designed for remote access and allowing attackers to execute commands on a compromised system and steal files. A Telegram bot is used to manage the backdoor.