There are many threads on underground forums in which developers offer malware as a service. This model allows even the least skilled adversaries to incorporate the malware into their arsenal, without the need to develop their own.
In most cases, developers offer one of the three types of malware:
loaders, RATs, or stealers. In rare cases, the software includes
the functionalities of all the three types at once.
With the malware-as-a-service model, the attackers are able
to target even large organizations and conduct post-exploitation,
often by uploading additional components, such as payloads
of popular frameworks.
The attackers also often use this malware to collect authentication
data for whatever purpose, one of which is to sell it. See the case with
Leak Wolf,¹ which targeted authentication data with the RedLine stealer.
The underground forum community tends to prohibit the use of such malware for attacks in Russia and other CIS countries. However, buyers can modify it. As a result, attacks with the use of software purchased on underground forums are becoming commonplace. In addition, geopolitical events have an impact on underground forums: in some cases, sellers no longer impose any restrictions.
In this research, we will look at seven popular malware families that have already been weaponized against more than 100,000 companies. We will
explain how these tools are sold in the dark segment of the Internet and will explore the tactics, techniques, and procedures of the adversaries.
Researchers fromBI.ZONEThreat Intelligence reports new attacks by the Core Werewolf group they are monitoring, aimed at dozens of domestic critical infrastructure facilities.
The attackers focused on enterprises in the defense and energy industries, as well as other critical infrastructure facilities. The group’s motivation is traditionally cyber espionage.
This time, the attackers sent letters with an attached UKAZ.PDF.ZIP archive, inside of which there was an executable file called “On the provision of information on approval and awards.exe,” which was essentially malware.
The executable file is a self-extracting archive that, when launched, displays the expected PDF or Microsoft Word document on the victim’s screen.
In the last identified campaign, it was a document with the text of an order from the deputy general director of a well-known industrial company.
At the same time, a legitimate UltraVNC tool was installed in the background, which allowed the attackers to gain full control over the compromised device.
Core Werewolf has been active since at least December 2021, and its full history and TTPs are in a separatearticle.
You must be logged in to post a comment.