Arsenal honed against Russia's government organizations
Oct. 11, 2024, 8:10 a.m.
Tags
External References
Description
Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives containing SFX executables, which deploy obfuscated AutoIt scripts, legitimate AutoIt interpreters, and decoy PDF documents. The loader gathers system information, exfiltrates data to a C2 server, and potentially downloads additional malicious payloads. The attackers use deceptive file names matching the content of decoy documents to increase credibility. This campaign demonstrates the ongoing sophistication and adaptability of threat actors targeting Russian government organizations.
Date
Published: Oct. 11, 2024, 6:02 a.m.
Created: Oct. 11, 2024, 6:02 a.m.
Modified: Oct. 11, 2024, 8:10 a.m.
Indicators
eecfa15d69a6322fac39e945d68664a037e48a60644a76acd8b49490e6c93c06
b09807247282baaddb32ffe114b046325dd648a4c298f3b5c9addaa635b0520c
d42942acee6154609c1c5f61bb0fb863c4598dd82e6d28af58c9dfbee71c4521
a8ea0f64e7e08d59b45068c1ff4eda4d7fd9d92148cd3d4c664da9c18aaf1f32
a049cc364151ddfb3b87c11050a9b027ec4a1687ae4415b8d07afa4bc7aeaced
75cd7ef3e87d59f32939832e3b5eeb586d0fc1467721a30b64132bc5f833697f
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
731b4673f28da5d8b48f016a478be4e1ffea247d5b44a6612c506110b8fdd97c
703835c57b8985141ef3ef652e2593935a47bd9779d08963c5eb973b8b82d08a
6a3584f8e6b5f8e2fb5826aa0f042bf30b06e7467f022499a71273e15daaa216
3cfc1ecd00d52349c0b1ac0692774b31a97342330ef664b546fa3b8aa1d3a6c2
2b62b9481c0bcdf46a24a792f44e152ea5b7c5143cb06af9d82ff8c2c8433551
19ff0ce570aabefcab0eed08afdaffd16c5516d91962e099498ecaf97f394766
00ec82306c9df4aee9dda42933ed55afa9e53ed74c2018bc0ce43d87edad2f98
114de7d5e7dd6088f68705d519fc35530433506965ec5288e9dfb005bfec73c8
80.85.155.134
31.192.107.165
188.127.240.131
178.20.46.163
http://1tutor.ru/DESKTOP-ET51AJO_Bruno/9733698215789059.txt
http://1tutor.ru/DESKTOP-ET51AJO_Bruno/9733698215789059.au3
conversesuisse.net
dsksb.ru
cntula.ru
1tutor.ru
Attack Patterns
Core Werewolf
T1566.003
T1102.001
T1102.002
T1074.001
T1573.001
T1059.005
T1012
T1204.002
T1016
T1106
T1082
T1057
T1105
T1566.001
T1083
T1140
T1033
T1027
T1112
T1059
Additional Informations
Defense
Government
Russian Federation