Scaly Wolf takes aim at Russia’s manufacturing and logistics enterprises

The cybercriminals target corporate data using White Snake, a stealer prohibited by its developer and vendor in Russia and other CIS countries

February 2, 2024

The Scaly Wolf group got on the radar in the early summer of 2023 and has since initiated at least 10 campaigns. The adversaries prey on corporate data with their primary targets being manufacturing and logistics companies from Russia. The latest attack was recorded in January 2024.

The attackers send out phishing emails disguised as documents of Russian public authorities. These include requirements and inquiries from Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media), the Investigative Committee, and the Military Prosecutor’s Office, court orders, and other regulatory prescriptions. In some cases, malicious emails are masked as sales proposals.

Scaly Wolf is distinguished by legal proficiency in drafting messages and fake documents, which appear highly convincing and credible. This prompts the victim to follow the instructions and open the encrypted archive in anticipation of harmless documents.

Instead, this launches a malicious program, the White Snake stealer, that enables the attackers to gain parallel access to a number of corporate resources (e.g., a mail server and a CRM).

White Snake harvests authentication data from browsers, records keystrokes, copies files from infected computers, and establishes remote access. The stealer is integrated with a Telegram bot that keeps the adversaries updated on newly compromised devices.

White Snake immediately attracted cybercriminals as an easy‑to‑use and affordable tool (costing as little as 140 dollars per month). Besides, it has broad functionality, for instance, it can collect crypto wallet data. While the developer banned its use in Russia and other CIS countries, Scaly Wolf could bypass this restriction. The criminals disabled program termination on devices whose IP addresses are linked to the “prohibited” locations.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

Motivated financially, Scaly Wolf presumably demands a ransom in exchange for stolen data or sells the data on the darknet. The group seems to be relentless in its activity and hence is most likely to continue attacks on Russian enterprises in the long term. The criminals are expected to employ the same phishing scheme to spread the stealer.

According to our data, 68% of targeted attacks on companies begin with a phishing email. In 2023, manufacturing and logistics (favored by Scaly Wolf) were among the industries that encountered the largest number of potentially dangerous messages.

To protect your corporate mail server from phishing, we would recommend a service that intercepts unwanted messages—BI.ZONE CESP. The solution checks each email with 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This eliminates the problem of illegitimate emails without slowing down the delivery of secure messages.

You can explore the cyber threat landscape and prepare for potential attacks with BI.ZONE Threat Intelligence. The solution provides the latest information about attacks, threat actors, their methods and tools. With this intelligence, you can ensure the efficiency of security solutions, speed up incident response, and protect your organization against the most critical threats.