Known as a actor with danger Paper warewolf Especially Russian institutions have been seen targeting with a new transplantation Pavarmodul,
The activity between July and December 2024 sang organizations in mass media, telecommunications, construction, government institutions and energy fields, Kaspasky said in a new report published on Thursday.
Paper Warewolf, also known as Gofi, is evaluated to run at least seven campaigns since 2022, according to B. Zone, mainly with attacks aimed at government, energy, financial, media and other organizations.
The chain of an attack by the danger actor has also been seen incorporating a disruptive component, in which infiltration goes beyond distributing malware for espionage purposes, which also change passwords related to employees accounts.
The attacks themselves are initiated through the fishing email, which consists of a macro-lined lur document, which paves the way to deploy a powershell-based remote access trojan known as a powertate, when opening and enabling the macros.
Malware is designed to give the next-step payload, often a custom version of the myth framework agent, known as Paurtscale and Qwakmyagent. Another device in the actor of the danger actor is a malicious IIS module called Owowa, which is used to recover the Microsoft Outlook credentials recorded by users on the web clients.
The latest set of attacks documented by Kaspersky begins with a malicious RAR collection, which is an executable which is a word document using a PDF or a double extension (ie,, *.pdf.exe or *.doc.exe). When the executable launch is made, the decoy file is downloaded from a remote server and shown to the user, while the transition proceeds in the next stage in the background.
“The file itself is a Windows system file (explorer.exe or xpsrchvwwwwwwwwwwwwwwwwwwwww.exe), patched with a malicious shellcode with part of its code,” it said. “Shelcode is similar to what we saw in earlier attacks, but in addition to an unpleasant mythological agent, which immediately starts communicating with the command-end-control (C2) server.”
The alternative attack sequence is a much more wide, using the RAR collection that embedded a microsoft office document with a macro, which serves as a dollar to deploy and launch a power launch script powermodul, capable of obtaining and executing additional power sugar from the C2 server.
The back door is said to have been used since the beginning of 2024, in which the danger actors initially used it and used it to download and execute the Powerscale on the compromised hosts. Some other payloads dropped by Pavarmodul are listed below –
- FlashfilegraberWhich is used to steal files from removable media, such as flash drive, and exfiltrate them on C2 server
- FlashfilegraberoflineA version of Flashfilegrabber that discovers removable media for files with specific extensions, and when found,
- USB wormWhich is capable of infecting removable media with a copy of Pavardarodul
Powertaskel is also designed to run the Powershell script sent by the C2 server that is functionally similar to PowerModul. But in addition, it can send information about the targeted environment as the “Checkin” message, as well as execute other commands obtained from the C2 server as a task. It is also equipped to increase privileges using PSEXEC utility.
In at least one example, Powertaskel is found to obtain a script with a folderfilegber component, which includes the ability to collect files from distance system through the Hardcode network path using SMB protocols, in addition to mimicking the characteristics of Flashfilegraber.
“For the first time, he employed Word documents with malicious VBA scripts for initial transition,” Kaspersky said. “Recently, we have noticed that Gofi is abandoning the use of Polarcel in favor of binary pathological agent during rapid lateral movements.”
This development comes in the form of BI.Zone, attributed to another danger group, which was attributed to a fishing campaign called Neelam Warewolf, which distributes an updated version of the Open-SOS SAPHRERSTER.
Steeler recurs credentials from “Telegram and various browsers, including chrome, opera, yandex, brave, orbitum, atom, cometa, and age chromium, as well as filezila and SSH configuration files,” said, the Russian company said, the Russian company can also grab, which includes the documents that also include the documents.
