The mysterious Werewolf group disguised malware as legitimate services so victim companies did not immediately realize they were under attack.
The hacker group Mysterious Werewolf, active since 2023, began using its own programs to attack the Russian military-industrial complex (MIC). This was spotted by Russian digital risk management company Bi.Zone, according to Gaming Assistant’s report.
According to Oleg Skulkin from Bi.Zone, the Mysterious Werewolf group has managed to integrate legal services into its malicious program. According to him, this made the attack difficult to detect; For a long time, no one suspected that the systems of Russian companies were compromised.
Some time ago it became known that the Mysterious Werewolf attacked many Russian semiconductor suppliers. And recently it turned out that hackers from this group were involved in an attack on Russian manufacturers working in the military-industrial complex.
Attackers pretending to be the Ministry of Industry and Trade of the Russian Federation were sending phishing emails containing the Pismo_izveshcanie_2023_10_16.rar archive, which exploited the CVE-2023-38831 vulnerability in WinRAR, discovered last summer.
The archive contained a PDF document as well as a folder containing the malicious CMD file. After opening the archive and clicking on the document, the exploit launched a CMD file. Accordingly, WinRAR.exe launched cmd.exe and then ran the PowerShell script to activate the malicious CMD file.
According to cybersecurity researchers, the script performed the following actions:
- downloaded and opened an infected PDF document;
- You downloaded and registered the Athena agent from Cloudfare.webredirect.org;
- created a task in the Windows scheduler to run the agent every 10 minutes.
An interesting feature of the attack was that the Mythic Werewolf hackers used not only the cross-platform framework for cooperation between Mythic C2 pentesters, which allowed them to perform various actions, interact with the file system of the compromised machine, upload and download files. , execute commands and scripts, scan the network, etc. They combined the framework with their own malware.
Thus, an original RingSpy backdoor was installed on the victims’ devices, designed for remote access and allowing attackers to execute commands inside the compromised system and, as a result, steal files. A Telegram bot was used to check the backdoor.
We previously wrote that Chat GPT-4 can turn anyone into a hacker. Most AI models failed to hack websites, but GPT-4 coped with 11 out of 15 tasks and even found a real vulnerability.
Source: Focus
Ashley Fitzgerald is an accomplished journalist in the field of technology. She currently works as a writer at 24 news breaker. With a deep understanding of the latest technology developments, Ashley’s writing provides readers with insightful analysis and unique perspectives on the industry.