Cybersecurity experts have uncovered a series of attacks targeting organizations in Kazakhstan by a threat actor dubbed “Bloody Wolf.” The group utilizes STRRAT, an inexpensive but potent malware available on underground forums for as little as $80.
Since late 2023, researchers at BI.ZONE Threat Intelligence has been tracking Bloody Wolf’s activities. The attackers employ sophisticated phishing tactics, impersonating the Ministry of Finance of the Republic of Kazakhstan and other government agencies to distribute the STRRAT malware, also known as Strigoi Master.
“The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data,” BI.ZONE reported in their analysis.
The phishing emails contain PDF attachments masquerading as non-compliance notices. These PDFs include links to malicious Java archive (JAR) files and installation guides for Java interpreters – a crucial component for the malware’s operation.
To add legitimacy to the scheme, one link directs victims to a genuine government website encouraging Java installation for proper portal functionality. However, the malware itself is hosted on a fake government site (egov-kz[.]online) designed to mimic official Kazakhstan web properties.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
Once installed, STRRAT establishes persistence through various methods, including scheduled tasks, registry modifications, and startup folder placement. The malware then connects to command and control servers hosted on Pastebin to exfiltrate sensitive data and await further instructions.
STRRAT’s Capabilities:
- Credential theft from popular browsers and email clients
- Keylogging
- Remote command execution
- File manipulation
- Screen and browser control
- Proxy installation
- Ransomware-like file encryption
“Using less common file types such as JAR enables the attackers to bypass defenses,” BI.ZONE noted. “Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions.”
This campaign highlights the growing trend of cybercriminals leveraging low-cost, commercially available malware to conduct sophisticated attacks against government and corporate targets.
Indicators of compromise
e35370cb7c8691b5fdd9f57f3f462807b40b067e305ce30eabc16e0642eca06b
00172976ee3057dd6555734af28759add7daea55047eb6f627e5491701c3ec83
cb55cf3e486f3cbe3756b9b3abf1673099384a64127c99d9065aa26433281167
a6fb286732466178768b494103e59a9e143d77d49445a876ebd3a40904e2f0b0
25c622e702b68fd561db1aec392ac01742e757724dd5276b348c11b6c5e23e59
14ec3d03602467f8ad2e26eef7ce950f67826d23fedb16f30d5cf9c99dfeb058
ee113a592431014f44547b144934a470a1f7ab4abec70ba1052a4feb3d15d5c6
https://pastebin[.]com/raw/dFKy3ZDm:13570
https://pastebin[.]com/raw/dLzt4tRB:13569
https://pastebin[.]com/raw/dLzt4tRB:10101
https://pastebin[.]com/raw/YZLySxsv:20202
https://pastebin[.]com/raw/8umPhg86:13772
https://pastebin[.]com/raw/67b8GSUQ:13671
https://pastebin[.]com/raw/8umPhg86:13771
https://pastebin[.]com/raw/67b8GSUQ:13672
https://pastebin[.]com/raw/dLzt4tRB:13880
https://pastebin[.]com/raw/YZLySxsv:13881
91.92.240[.]188
185.196.10[.]116
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
The post Bloody Wolf Attacking Organizations With $80 Malware From Underground Market appeared first on Cyber Security News.