Mysterious Werewolf attacks Russian industry
A while back, some international researchers reported about a new threat group that affected a number of Russian semiconductor suppliers. The report came from Cyble, headquartered in Alpharetta, Georgia with offices in Australia, Malaysia, Singapore, Dubai, Saudi Arabia, and India. The BI.ZONE Cyber Threat Intelligence team is also tracking this activity cluster dubbed as Mysterious Werewolf, and we recently uncovered another attack in the campaign, this time targeting industry facilities in Russia.
- Organizations often fail to patch their application software on time, which gives the attackers a window of opportunity to effectively exploit the neglected vulnerabilities.
- Dynamic DNS allows the attackers to have a more flexible infrastructure and avoid immediate detection and block.
- The attackers are increasingly using less popular post‑exploitation frameworks, allowing them to bypass a number of defenses more effectively.
This time, the attackers disguised themselves as the Ministry of Industry and Trade of the Russian Federation, and their phishing emails contained archives named
Pismo_izveshcanie_2023_10_16.rar that exploited the CVE-2023-38831 vulnerability.
The archive contained a legitimate PDF document as well as a folder with a malicious CMD file. After opening the archive and double‑clicking the document, the exploit launched the CMD file. Accordingly,
cmd.exe to execute the malicious CMD file.
Detection opportunity 1
In this case,
cmd.exe to execute the malicious CMD file (
C:\Users\[redacted]\AppData\Local\Temp\Rar$DIa5576.1088\Pismo_Rassylka_Ministerstva_Ministerstva_promyshlennosti.pdf .cmd). Running
cmd.exe is atypical for
WinRAR.exe. In addition, we can use a list of file extensions that are associated with the exploited vulnerability to make our detection method even more accurate.
We can pay attention to
WinRAR.exe that runs
cmd.exe to execute a file with one of the following extensions:
The malicious CMD file runs the following PowerShell script:
powershell -nop -WindowStyle Hidden -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('[redacted]'))))
The script is obfuscated and does the following:
- downloads a benign PDF file (
Pismo_Rassylka_Ministerstva_promyshlennosti.pdf, the contents of which are shown below) from
hXXps://cloudfare[.]webredirect[.]org(Dynu dynamic DNS service) and opens it
- downloads the Athena agent from
hXXps://cloudfare[.]webredirect[.]organd saves it to
- creates a scheduled task to run the agent every 10 minutes:
schtasks /crEaTE /Sc mINUTE /mo 10 /TN “Microsoft Edge” /Tr C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Fonts\MikrosoftEdge.exe /f
Detection opportunity 2
Here we have a bunch of detection opportunities. For example, the fact that PowerShell is communicating with the address of a dynamic DNS provider is suspicious.
powershell.exe creates files in atypical locations, another example of suspicious behavior. You can use information about these folders to implement proactive threat hunting, such as looking for suspicious executables running from the
To gain persistence on the compromised system, the attackers used the Windows Task Scheduler. Of course, such activity creates a lot of noise, but you can experiment with command line settings to detect anomalous activity. For example, you can focus on those that are atypical of your IT infrastructure.
And finally, the Athena agent. In this case, it uses Discord to receive commands, which means we have the ability to detect suspicious communications, such as those from
discordapp[.]com, that are not coming from the Discord application or browsers.
Mythic C2 is a cross-platform collaborative framework for penetration testers. It allows the operator to perform various actions in the post‑exploitation context (e.g., interact with the file system of a compromised system, download and upload files, execute commands and scripts, scan the network, etc.)
Phishing: Spearphishing Attachment
Mysterious Werewolf uses archives attached to phishing emails that exploit the CVE-2023-38831 vulnerability
Exploitation for Client Execution
Mysterious Werewolf exploits the CVE-2023-38831 vulnerability in WinRAR to execute malicious code on a compromised system
User Execution: Malicious File
The victim needs to open the malicious file to initiate the compromise process
Command and Scripting Interpreter: Windows Command Shell
As a result of successful exploitation, the malicious CMD file is launched using the Windows command line
Command and Scripting Interpreter: PowerShell
Mysterious Werewolf uses PowerShell to download legitimate documents and the Athena agent from a remote server
Scheduled Task/Job: Scheduled Task
Mysterious Werewolf creates jobs in Windows Scheduler to latch on to a compromised system
Masquerading: Match Legitimate Name or Location
Mysterious Werewolf uses names for malicious files that resemble legitimate files
Obfuscated Files or Information
Mysterious Werewolf uses Base64 to encode scripts executed in PowerShell
|Command and Control
Mysterious Werewolf uses dynamic DNS to upload files to a compromised system
Ingress Tool Transfer
Mysterious Werewolf downloads the Athena agent from a remote server
Web Service: Bidirectional Communication
Mysterious Werewolf uses Discord to communicate with C2
Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
If an incident has already occurred, it is important to react quickly and launch an investigation. This will allow you to understand how attackers got into the company’s systems, isolate compromised resources from the corporate network, and rule out the possibility of a second attack along a similar vector. BI.ZONE specialists will help you address this with effective countermeasures and conduct further investigation.