Rare Wolf disguises malicious attachments as 1C:Enterprise invoices

One of the objectives was to access the Telegram accounts of employees working for Russian companies

November 29, 2023

The group has been active since 2019 and has also attacked organizations based in neighboring countries.

The attackers sent out phishing emails disguised as payment notices. Each email was supplemented with an archive that purportedly contained a 1C:Enterprise invoice and an electronic access key. In actuality, the archive had a file with a .scr extension.

After opening the file, several archives with tools were downloaded to the victim’s computer. The attackers used them to collect all the documents that were on the disk of the compromised system, extract saved passwords from the browser, and copy the Telegram messenger folder. This folder contained, among other things, an encrypted key that allowed the criminals to log in to the compromised account without authorization and discreetly control all correspondence and files sent to the victim. New sessions were not recorded in the activity log.

The attackers sent the collected data through a controlled mail service. They used a command-line utility to perform this operation.

The Mipko Employee Monitor software was then installed on the compromised system. This is legitimate software for monitoring employee activity, which is most often used by corporate security services. However, the attackers employed it to intercept keystrokes and clipboard history, take screenshots and access the device’s camera.

Cybercriminals continue to use legitimate tools in their attacks. This allows them to both bypass many defenses and remain undetected in the compromised infrastructure for a long time, virtually blending in. However, it is important to realize that developers and vendors of legitimate software are not liable for the improper and illegal use of their solutions.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

Phishing campaigns are one of the primary ways to compromise target systems. To protect against such attacks, we recommend using specialized solutions that block spam and malicious emails. One such solution is BI.ZONE CESP.

Furthermore, continuous IT infrastructure monitoring services, such as BI.ZONE TDR, can help to effectively respond to new threats. This will equip you to quickly recognize advanced attacks and neutralize threats without delay.

It is also crucial to improve employees’ cyber literacy. In particular, it is not recommended to use Telegram and other messengers for transmitting any materials related to trade secrets, personal data, and other sensitive information.