The Scaly Wolf advanced persistent threat (APT) gang has once again targeted a Russian engineering company in a sophisticated targeted attack that was discovered by Doctor Web’s analysts. This shows that the group is determined to obtain corporate secrets.
This incident, occurring in mid-2025, echoes a similar assault in 2023, where the group employed modular backdoors to infiltrate networks.
The latest operation began in early May 2025 with a barrage of phishing emails masquerading as financial documents.
These emails contained deceptive PDF decoys and password-protected ZIP archives housing executables disguised as PDFs through double extensions like “Акт Сверки.pdf.exe.”
Cyber Espionage Campaign
Upon execution, these files deployed Trojan.Updatar.1, a downloader designed to fetch subsequent malware components, including Trojan.Updatar.2 and Trojan.Updatar.3, forming the core of the Updatar modular backdoor.
This backdoor facilitates data exfiltration, system reconnaissance, and persistent access, with enhancements such as RockYou Obfuscation a technique leveraging randomized XOR encoding and dictionary strings from the RockYou.txt password list to evade static analysis.
The attack chain unfolded across multiple endpoints, exploiting unprotected systems and lateral movement tactics.
On the initial victim machine, lacking Dr.Web antivirus, Trojan.Updatar.1 successfully installed additional modules within an hour, enabling the deployment of Meterpreter from the Metasploit framework via BITS service tasks.
Attackers then utilized FileManager.exe for file theft, Tool.HandleKatz for LSASS process dumping to harvest credentials, and RDP Wrapper (Program.Rdpwrap.7) for remote access. Traffic tunneling tools like Tool.Chisel and Tool.Frp further masked their activities.
Lateral spread to a second device occurred on May 14, using stolen credentials for remote command execution, followed by manual installation of Updatar modules after antivirus blocked automated attempts. By June 3, Meterpreter was embedded, granting shell access.
Malware Arsenal in Scaly Wolf Operations
The third system’s compromise highlighted the attackers’ adaptability, starting with RDP credential abuse on June 23.
Initial Metasploit payloads, encoded in base64 PowerShell scripts targeting address 77.105.161.30, were thwarted by Dr.Web detections like DPC:BAT.Starter.613.
Undeterred, the group pivoted to RemCom (Program.RemoteAdmin.877), executing commands to disable Windows Defender via PowerShell cmdlets such as Set-MpPreference for exclusions and real-time monitoring deactivation.
Queries against Dr.Web services (e.g., wmic service where “name=’DrWebAVService’” get PathName) aimed to identify and neutralize protections, while BITS transfers attempted to deploy shellcode.exe (BackDoor.Shell.244) and installer.exe (Trojan.Updatar.1). Despite these efforts, antivirus interventions blocked the payloads.
Infrastructure analysis revealed multiple C2 domains, including roscosmosmeet[.]online for downloads, updating-services[.]com for Trojan.Updatar.3 communications, and others like adobe-updater[.]net.
Artifacts linked the malware to Scaly Wolf, consistent with prior campaigns, eschewing Malware-as-a-Service for custom tools and open-source utilities like Metasploit, alongside decoy applications displaying fake security alerts to mislead users.
Additional unused samples, such as Trojan.Uploader.36875 for exfiltration and BackDoor.Siggen2.5423 for VNC control, underscore the group’s expanding arsenal.
This attack underscores the evolving threat landscape, where APT actors like Scaly Wolf blend phishing, credential theft, and post-exploitation tools to bypass defenses.
Organizations must prioritize comprehensive antivirus configurations, timely patching, and vigilant monitoring to mitigate such persistent intrusions, as default settings often prove insufficient against determined adversaries.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
