The threat actor known as NoisyBear has launched a sophisticated cyber-espionage effort called Operation BarrelFire, using specially designed phishing lures that imitate internal correspondence to target Kazakhstan’s energy sector, particularly workers of the state oil and gas major KazMunaiGas.
Security researchers at Seqrite Labs first observed the campaign in April 2025 and noted its rapid escalation by May.
Spear-Phishing Lure Mimics HR Notices
NoisyBear’s initial attack vector relied on a compromised finance department email at KazMunaiGas.
On May 15, 2025, employees received messages with the urgent subject line “URGENT! Review the updated salary schedule.”
%20(1).webp "NoisyBear Exploits ZIP Files for PowerShell Loaders and Data Exfiltration 2")
The email body instructed recipients—in both Russian and Kazakh—to download and extract a ZIP file named График.zip (“Schedule.zip”) and then open a shortcut file, График зарплат.lnk (“Salary Schedule.lnk”), purportedly linking to updated salary policies.
The message created urgency by imposing a compliance deadline and even referenced the IT Support team to enhance legitimacy.
Under the hood, the ZIP archive contained three items: a decoy document bearing the KazMunaiGas logo, a README.txt with user instructions, and the malicious .LNK shortcut.
Once executed, the shortcut used Windows’ own PowerShell binary to download a batch script from a remote server at 77.239.125.41:8443, placing it into the “C:UsersPublic” folder and launching it automatically.
Multi-Stage Infection Chain Unveiled
Researchers dissected the infection chain across four distinct stages:
1. Batch Script Deployment
The initial batch downloader (123.bat and it.bat) fetched two PowerShell loader scripts—support.ps1 and a.ps1—from the attacker’s infrastructure.
Each script included a deliberate pause (10–11 seconds) before executing to evade sandbox environments.
2. AMSI Bypass and Loader Execution
The support.ps1 script leveraged .NET reflection to disable Windows’ Anti-Malware Scan Interface (AMSI) by flipping the internal amsiInitFailed flag, allowing subsequent payloads to load unchecked.
The second script dynamically resolved native Windows API functions for in-memory code execution, then injected Meterpreter reverse-shell shellcode into the explorer.exe process using CreateRemoteThread.
3. DLL Implant and Thread Hijacking
The final payload was a 64-bit DLL implant that enforced a single-instance mechanism via named semaphores and events.
It spawned a suspended rundll32.exe process, hijacked its thread context, allocated RWX memory, and injected a reverse shell payload before resuming execution.
.webp "NoisyBear Exploits ZIP Files for PowerShell Loaders and Data Exfiltration 3")
4. Command-and-Control and Persistence
Once the reverse shell was established, NoisyBear’s operators could exfiltrate sensitive data—particularly employee credentials and internal documents—and potentially maintain long-term access to company networks.
Seqrite’s threat hunters uncovered that NoisyBear’s infrastructure was hosted on servers under the sanctioned Russian hosting provider Aeza Group LLC.
Further reconnaissance revealed additional malicious web applications masquerading as wellness and fitness sites, likely serving as alternate command-and-control hubs.
Analysis of the tools and techniques—extensive use of PowerShell, reflective DLL injection, thread-context hijacking, dynamic API resolution, and Russian-language comments in scripts—aligns NoisyBear with known Russian-speaking cyber-espionage groups.
Operational mistakes, such as reusing remote-hosting domains and shared shellcode stagers, strengthened the attribution.
Defense Recommendations and Technical Indicators
To guard against similar incursions, security teams should:
- Enforce strict email filtering and attachment sandboxing, particularly for archive files containing executables or shortcuts.
- Enable AMSI logging and block known LOLBIN (Living off the Land Binary) techniques.
- Monitor for anomalous PowerShell processes invoking
System.Management.Automation.AmsiUtilsor reflective code-loading patterns. - Conduct regular threat hunting for named semaphores and events linked to unauthorized DLL injection.
Seqrite Labs also published extensive Indicators of Compromise (IOCs), including file hashes for the ZIP, LNK, batch, PowerShell, and DLL stages, as well as NoisyBear’s C2 domains and IPs:
With Central Asia’s energy sector increasingly under the microscope, organizations must remain vigilant and adopt layered defenses against highly customized, multi-stage intrusion efforts like Operation BarrelFire.
Indicators of Compromise (IoCs):
File-Based
| File-Type | SHA-256 |
|---|---|
| Outlook | 5168a1e22ee969db7cea0d3e9eb64db4a0c648eee43da8bacf4c7126f58f0386 |
| ZIP | 021b3d53fe113d014a9700488e31a6fb5e16cb02227de5309f6f93affa4515a6 |
| ZIP | f5e7dc5149c453b98d05b73cad7ac1c42b381f72b6f7203546c789f4e750eb26 |
| LNK | a40e7eb0cb176d2278c4ab02c4657f9034573ac83cee4cde38096028f243119c |
| LNK | 26f009351f4c645ad4df3c1708f74ae2e5f8d22f3b0bbb4568347a2a72651bee |
| Batch Script | d48aeb6afcc5a3834b3e4ca9e0672b61f9d945dd41046c9aaf782382a6044f97 |
| Batch Script | 1eecfc1c607be3891e955846c7da70b0109db9f9fdf01de45916d3727bff96e0 |
| PowerShell | da98b0cbcd784879ba38503946898d747ade08ace1d4f38d0fb966703e078bbf |
| PowerShell | 6d6006eb2baa75712bfe867bf5e4f09288a7d860a4623a4176338993b9ddfb4b |
| PowerShell | fb0f7c35a58a02473f26aabea4f682e2e483db84b606db2eca36aa6c7e7d9cf8 |
| DLL | 1bfe65acbb9e509f80efcfe04b23daf31381e8b95a98112b81c9a080bdd65a2d |
Network-Based
| Domains / IPs |
|---|
| 77[.]239[.]125[.]41 |
| wellfitplan[.]ru |
| 178[.]159[.]94[.]8 |
MITRE ATT&CK Mapping
| Tactic | Technique ID | Name |
|---|---|---|
| Reconnaissance | T1589.002 | Gather Victim Identity Information: Email Addresses |
| Initial Access | T1204.002 | User Execution: Malicious File |
| T1078.002 | Valid Accounts: Domain Accounts | |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| T1059.00 | Command and Scripting Interpreter | |
| Defense Evasion | T1562 | Impair Defenses |
| T1027.007 | Encrypted/Encoded File | |
| T1027.013 | Dynamic API Resolution | |
| T1055.003 | Thread Execution Hijacking | |
| T1620 | Reflective Code Loading | |
| T1218.011 | System Binary Proxy Execution: Rundll32 | |
| Command and Control | T1105 | Ingress Tool Transfer |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
