Scaly Wolf’s new loader: the right tool for the wrong job

May 2, 2024, 3:17 p.m.

Description

The report analyzes a recent campaign by the Scaly Wolf threat group targeting organizations in Russia and Belarus. The group employs phishing emails disguised as communications from government agencies, containing legitimate documents and password-protected archives with malicious executables. The executable is a loader that injects the White Snake stealer malware into the explorer.exe process, evading detection through anti-virtualization checks and kernel calls instead of WinAPI. The White Snake malware harvests credentials and sensitive data from compromised systems.

External References

https://bi-zone.medium.com/scaly-wolfs-new-loader-the-right-tool-for-the-wrong-job-0b36d4c20c88
https://otx.alienvault.com/pulse/6633a7d33e50ab19ed022c7e
Tags
phishing
infostealer
white snake
winapi

Date

  • Created: May 2, 2024, 2:48 p.m.
  • Published: May 2, 2024, 2:48 p.m.
  • Modified: May 2, 2024, 3:17 p.m.

Indicators

  • cbabd91fb0c1c83867f71e8df19c131ac6fb3b3f3f74765bc24924cb9d51ad41
  • 93948c7fb89059e1f63af04feef0a0834b65b18ffaf6610b419adbc0e271e23d
  • 10330fcc378db73346501b2a26d2c749f51cacd962b54c62aa017dd9c1ed77c3
  • 66.42.56.128
  • 64.227.21.98
  • 45.61.136.52
  • 45.61.136.13
  • 23.248.176.37
  • 23.224.102.6
  • 216.250.190.139
  • 212.6.44.53
  • 206.189.109.146
  • 193.142.58.127
  • 192.99.196.191
  • 185.217.98.121
  • 185.119.118.59
  • 164.90.185.9
  • 154.26.128.6
  • 149.88.44.159
  • 144.126.132.141
  • 116.202.101.219
  • 107.161.20.142
  • 104.248.208.221
Download all indicators here!

Attack Patterns

  • White Snake
  • Scaly Wolf
  • T1559.001
  • T1003.001
  • T1036.004
  • T1053.005
  • T1497.001
  • T1012
  • T1497
  • T1005
  • T1566.001
  • T1055

Additional Informations

  • Belarus
  • Russian Federation