Cybersecurity experts have uncovered a series of attacks targeting organizations in Kazakhstan by a threat actor dubbed “Bloody Wolf.” The group utilizes STRRAT, an inexpensive but potent malware available on underground forums for as little as $80.
Since late 2023, researchers at BI.ZONE Threat Intelligence has been tracking Bloody Wolf’s activities. The attackers employ sophisticated phishing tactics, impersonating the Ministry of Finance of the Republic of Kazakhstan and other government agencies to distribute the STRRAT malware, also known as Strigoi Master.
“The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data,” BI.ZONE reported in their analysis.
The phishing emails contain PDF attachments masquerading as non-compliance notices. These PDFs include links to malicious Java archive (JAR) files and installation guides for Java interpreters – a crucial component for the malware’s operation.
To add legitimacy to the scheme, one link directs victims to a genuine government website encouraging Java installation for proper portal functionality. However, the malware itself is hosted on a fake government site (egov-kz[.]online) designed to mimic official Kazakhstan web properties.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
Once installed, STRRAT establishes persistence through various methods, including scheduled tasks, registry modifications, and startup folder placement. The malware then connects to command and control servers hosted on Pastebin to exfiltrate sensitive data and await further instructions.
STRRAT’s Capabilities:
- Credential theft from popular browsers and email clients
- Keylogging
- Remote command execution
- File manipulation
- Screen and browser control
- Proxy installation
- Ransomware-like file encryption
“Using less common file types such as JAR enables the attackers to bypass defenses,” BI.ZONE noted. “Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions.”
This campaign highlights the growing trend of cybercriminals leveraging low-cost, commercially available malware to conduct sophisticated attacks against government and corporate targets.
Indicators of compromise
e35370cb7c8691b5fdd9f57f3f462807b40b067e305ce30eabc16e0642eca06b00172976ee3057dd6555734af28759add7daea55047eb6f627e5491701c3ec83cb55cf3e486f3cbe3756b9b3abf1673099384a64127c99d9065aa26433281167a6fb286732466178768b494103e59a9e143d77d49445a876ebd3a40904e2f0b025c622e702b68fd561db1aec392ac01742e757724dd5276b348c11b6c5e23e5914ec3d03602467f8ad2e26eef7ce950f67826d23fedb16f30d5cf9c99dfeb058ee113a592431014f44547b144934a470a1f7ab4abec70ba1052a4feb3d15d5c6https://pastebin[.]com/raw/dFKy3ZDm:13570https://pastebin[.]com/raw/dLzt4tRB:13569https://pastebin[.]com/raw/dLzt4tRB:10101https://pastebin[.]com/raw/YZLySxsv:20202https://pastebin[.]com/raw/8umPhg86:13772https://pastebin[.]com/raw/67b8GSUQ:13671https://pastebin[.]com/raw/8umPhg86:13771https://pastebin[.]com/raw/67b8GSUQ:13672https://pastebin[.]com/raw/dLzt4tRB:13880https://pastebin[.]com/raw/YZLySxsv:1388191.92.240[.]188185.196.10[.]116
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide