In recent months, a threat activity cluster known as Bloody Wolf has been actively targeting organizations in Kazakhstan. This group employs a commodity trojan virus called STRRAT (also referred to as Strigoi Master), which is sold for as little as $80 on underground markets. According to a detailed investigation by the cybersecurity firm BI.ZONE, this low-cost malware enables adversaries to take control of corporate computers and exfiltrate sensitive data.
Initial Access and Infection Vector
The primary method used by Bloody Wolf to infiltrate systems is through phishing emails. These emails are designed to appear as official communications from the Ministry of Finance of the Republic of Kazakhstan and other reputable organizations. The phishing emails contain PDF attachments, which purportedly provide non-compliance notices. Within these PDFs are links to a malicious Java archive (JAR) file and instructions on how to install the Java interpreter necessary for the malware to operate.
To lend further legitimacy to their attack, the hackers include a second link in the email that directs recipients to a page associated with the national government’s website. This page advises users to install Java to ensure that the portal functions correctly, thereby lowering their guard and increasing the likelihood of infection.
Malware Persistence and Execution
Once the malicious JAR file is executed, the STRRAT virus establishes persistence on the infected Windows host by modifying the registry. It schedules the JAR file to run every 30 minutes and moves a duplicate of the JAR file to the Windows startup folder, ensuring that it launches automatically after every system reboot. The malware is hosted on a website that closely mimics the Kazakhstani government's official site, egov-kz[.]online, further deceiving victims.
STRRAT’s Capabilities
STRRAT is a multifunctional trojan with a wide range of capabilities designed to give attackers complete control over the infected machine and the ability to steal sensitive data. Some of its key functionalities include:
- Credential Theft: STRRAT can extract login details from popular web browsers such as Google Chrome, Mozilla Firefox, Internet Explorer, as well as from email clients like Foxmail, Outlook, and Thunderbird.
- Keylogging: The malware records keystrokes, capturing any information typed by the user.
- Remote Command Execution: Attackers can execute commands remotely via cmd.exe or PowerShell.
- File Manipulation: It can manipulate files on the infected system, including copying, deleting, and modifying them.
- Screen and Browser Control: The malware can take control of the victim’s screen and web browser.
- Proxy Installation: STRRAT can install a proxy server to reroute network traffic through the attacker’s server.
- Ransomware-like File Encryption: It has the capability to encrypt files on the victim’s machine, mimicking ransomware behavior.
Evasion Techniques
One of the noteworthy aspects of STRRAT is its use of less common file types, such as JAR, which helps it bypass many conventional security defenses. Additionally, the malware uses legitimate web services like Pastebin to communicate with the compromised system, making it difficult for network security solutions to detect and block its activities. This technique of blending malicious traffic with legitimate services allows the malware to evade detection and maintain a foothold within the target environment.
Indicators of Compromise (IoCs)
To aid in the detection and mitigation of this threat, here are some known indicators of compromise associated with the Bloody Wolf campaign:
File Hashes:
e35370cb7c8691b5fdd9f57f3f462807b40b067e305ce30eabc16e0642eca06b 00172976ee3057dd6555734af28759add7daea55047eb6f627e5491701c3ec83 cb55cf3e486f3cbe3756b9b3abf1673099384a64127c99d9065aa26433281167 a6fb286732466178768b494103e59a9e143d77d49445a876ebd3a40904e2f0b0 25c622e702b68fd561db1aec392ac01742e757724dd5276b348c11b6c5e23e59 14ec3d03602467f8ad2e26eef7ce950f67826d23fedb16f30d5cf9c99dfeb058 ee113a592431014f44547b144934a470a1f7ab4abec70ba1052a4feb3d15d5c6
Pastebin Links:
/raw/dFKy3ZDm:13570 /raw/dLzt4tRB:13569 /raw/dLzt4tRB:10101 /raw/YZLySxsv:20202 /raw/8umPhg86:13772 /raw/67b8GSUQ:13671 /raw/8umPhg86:13771 /raw/67b8GSUQ:13672 /raw/dLzt4tRB:13880 /raw/YZLySxsv:13881
IP Addresses:
91.92.240.188
185.196.10.116
Conclusion
The Bloody Wolf campaign targeting organizations in Kazakhstan is a stark reminder of how cybercriminals can leverage low-cost, commercially available malware to execute sophisticated and damaging attacks. By using phishing emails, less common file types, and legitimate web services for communication, these attackers manage to bypass traditional security defenses and maintain persistence within their targets’ systems. Organizations need to remain vigilant, employ robust cybersecurity practices, and stay informed about the latest threats to protect their valuable data and infrastructure.
Want to write a blog?
Unfold your thoughts and let your ideas take flight in the limitless realm of cyberspace. Whether you're a seasoned writer or just starting, our platform offers you the space to share your voice, connect with a creative community and explore new perspectives. Join us and make your mark!