Arsenal honed against Russia's government organizations

Oct. 11, 2024, 8:10 a.m.

Description

Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives containing SFX executables, which deploy obfuscated AutoIt scripts, legitimate AutoIt interpreters, and decoy PDF documents. The loader gathers system information, exfiltrates data to a C2 server, and potentially downloads additional malicious payloads. The attackers use deceptive file names matching the content of decoy documents to increase credibility. This campaign demonstrates the ongoing sophistication and adaptability of threat actors targeting Russian government organizations.

External References

https://bi-zone.medium.com/core-werewolf-hones-its-arsenal-against-russias-government-organizations-7fbe8cc58b27?source=rss-3882bedad280------2
https://otx.alienvault.com/pulse/6708bf65a9ca9e3d11342d78
Tags
loader
government
autoit
telegram
2024-10-11
critical infrastructure
sfx executables
rar archives

Date

  • Created: Oct. 11, 2024, 6:02 a.m.
  • Published: Oct. 11, 2024, 6:02 a.m.
  • Modified: Oct. 11, 2024, 8:10 a.m.

Indicators

  • eecfa15d69a6322fac39e945d68664a037e48a60644a76acd8b49490e6c93c06
  • b09807247282baaddb32ffe114b046325dd648a4c298f3b5c9addaa635b0520c
  • d42942acee6154609c1c5f61bb0fb863c4598dd82e6d28af58c9dfbee71c4521
  • a8ea0f64e7e08d59b45068c1ff4eda4d7fd9d92148cd3d4c664da9c18aaf1f32
  • a049cc364151ddfb3b87c11050a9b027ec4a1687ae4415b8d07afa4bc7aeaced
  • 75cd7ef3e87d59f32939832e3b5eeb586d0fc1467721a30b64132bc5f833697f
  • 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
  • 731b4673f28da5d8b48f016a478be4e1ffea247d5b44a6612c506110b8fdd97c
  • 703835c57b8985141ef3ef652e2593935a47bd9779d08963c5eb973b8b82d08a
  • 6a3584f8e6b5f8e2fb5826aa0f042bf30b06e7467f022499a71273e15daaa216
  • 3cfc1ecd00d52349c0b1ac0692774b31a97342330ef664b546fa3b8aa1d3a6c2
  • 2b62b9481c0bcdf46a24a792f44e152ea5b7c5143cb06af9d82ff8c2c8433551
  • 19ff0ce570aabefcab0eed08afdaffd16c5516d91962e099498ecaf97f394766
  • 00ec82306c9df4aee9dda42933ed55afa9e53ed74c2018bc0ce43d87edad2f98
  • 114de7d5e7dd6088f68705d519fc35530433506965ec5288e9dfb005bfec73c8
  • 80.85.155.134
  • 31.192.107.165
  • 188.127.240.131
  • 178.20.46.163
  • http://1tutor.ru/DESKTOP-ET51AJO_Bruno/9733698215789059.txt
  • http://1tutor.ru/DESKTOP-ET51AJO_Bruno/9733698215789059.au3
  • conversesuisse.net
  • dsksb.ru
  • cntula.ru
  • 1tutor.ru
Download all indicators here!

Attack Patterns

  • Core Werewolf
  • T1566.003
  • T1102.001
  • T1102.002
  • T1074.001
  • T1573.001
  • T1059.005
  • T1012
  • T1204.002
  • T1016
  • T1106
  • T1082
  • T1057
  • T1105
  • T1566.001
  • T1083
  • T1140
  • T1033
  • T1027
  • T1112
  • T1059

Additional Informations

  • Defense
  • Government
  • Russian Federation