Arsenal honed against Russia's government organizations

Oct. 11, 2024, 8:10 a.m.

Tags
loader
government
autoit
telegram
2024-10-11
critical infrastructure
sfx executables
rar archives
External References
Description

Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives containing SFX executables, which deploy obfuscated AutoIt scripts, legitimate AutoIt interpreters, and decoy PDF documents. The loader gathers system information, exfiltrates data to a C2 server, and potentially downloads additional malicious payloads. The attackers use deceptive file names matching the content of decoy documents to increase credibility. This campaign demonstrates the ongoing sophistication and adaptability of threat actors targeting Russian government organizations.

Date

Published: Oct. 11, 2024, 6:02 a.m.

Created: Oct. 11, 2024, 6:02 a.m.

Modified: Oct. 11, 2024, 8:10 a.m.

Indicators

eecfa15d69a6322fac39e945d68664a037e48a60644a76acd8b49490e6c93c06

b09807247282baaddb32ffe114b046325dd648a4c298f3b5c9addaa635b0520c

d42942acee6154609c1c5f61bb0fb863c4598dd82e6d28af58c9dfbee71c4521

a8ea0f64e7e08d59b45068c1ff4eda4d7fd9d92148cd3d4c664da9c18aaf1f32

a049cc364151ddfb3b87c11050a9b027ec4a1687ae4415b8d07afa4bc7aeaced

75cd7ef3e87d59f32939832e3b5eeb586d0fc1467721a30b64132bc5f833697f

98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

731b4673f28da5d8b48f016a478be4e1ffea247d5b44a6612c506110b8fdd97c

703835c57b8985141ef3ef652e2593935a47bd9779d08963c5eb973b8b82d08a

6a3584f8e6b5f8e2fb5826aa0f042bf30b06e7467f022499a71273e15daaa216

3cfc1ecd00d52349c0b1ac0692774b31a97342330ef664b546fa3b8aa1d3a6c2

2b62b9481c0bcdf46a24a792f44e152ea5b7c5143cb06af9d82ff8c2c8433551

19ff0ce570aabefcab0eed08afdaffd16c5516d91962e099498ecaf97f394766

00ec82306c9df4aee9dda42933ed55afa9e53ed74c2018bc0ce43d87edad2f98

114de7d5e7dd6088f68705d519fc35530433506965ec5288e9dfb005bfec73c8

80.85.155.134

31.192.107.165

188.127.240.131

178.20.46.163

http://1tutor.ru/DESKTOP-ET51AJO_Bruno/9733698215789059.txt

http://1tutor.ru/DESKTOP-ET51AJO_Bruno/9733698215789059.au3

Download all indicators here!

Attack Patterns

Core Werewolf

T1566.003

T1102.001

T1102.002

T1074.001

T1573.001

T1059.005

T1012

T1204.002

T1016

T1106

T1082

T1057

T1105

T1566.001

T1083

T1140

T1033

T1027

T1112

T1059

Additional Informations

Defense

Government

Russian Federation