Researchers uncovered Armored Likho, a previously unknown APT also linked to Eagle Werewolf, running phishing campaigns against government and electric power targets in Russia, Brazil, and Kazakhstan. The group deploys BusySnake Stealer, an AI-assisted Python infostealer with browser credential theft, cookie theft, reverse SSH tunneling, and scheduled-task persistence, while Kaspersky detects and blocks the activity. #ArmoredLikho #EagleWerewolf #BusySnakeStealer #AquilaRAT #Go2Tunnel #RustDesk
Keypoints
- Armored Likho is a newly identified APT group, also associated with Eagle Werewolf based on circumstantial evidence.
- The campaign targets government agencies and the electric power sector, with confirmed activity in Russia, Brazil, and Kazakhstan.
- Initial access commonly relies on spear-phishing emails carrying malicious EXE, LNK, RAR, ZIP, or BAT-based payloads disguised as official notices or aid-related documents.
- The main payload is BusySnake Stealer, a Python-based infostealer protected with PyArmor and designed to evade static and dynamic analysis.
- The malware steals clipboard data, browser passwords, cookies, documents, screenshots, Telegram data, wallet files, and OTP-related secrets.
- BusySnake Stealer includes built-in reverse SSH tunneling and scheduled-task persistence, showing increasing operational maturity and tool integration.
- Kaspersky solutions detect the attack chain, including the LNK downloader stage and subsequent payload delivery from GitHub and attacker-controlled infrastructure.
MITRE Techniques
- [T1566.001] Spearphishing Attachment â The actors deliver malicious archives and files through targeted emails themed as government notices or social programs. (âattackers distributed malicious attachments inside archive filesâ / âuses spear-phishing emailsâ)
- [T1204.002] User Execution: Malicious File â Victims are tricked into opening EXE, LNK, or archive-contained payloads that start the infection chain. (âwhen the victim opens the fileâ / âwhen the user runs the malicious LNK fileâ)
- [T1218.011] System Binary Proxy Execution: Rundll32 â The LNK chain uses rundll32.exe to run an obfuscated command that launches PowerShell. (âthe shortcut runs an obfuscated command via rundll32.exeâ)
- [T1059.001] Command and Scripting Interpreter: PowerShell â PowerShell is used to download and execute the loader. (âspawns a PowerShell command that downloads and executes the malicious loaderâ)
- [T1059.005] Command and Scripting Interpreter: Visual Basic â VBScript files are created to delete the initial loader and launch the payload. (âcreates two VBScript filesâ / âused to wipe the initial pnx.exe loaderâ)
- [T1053.005] Scheduled Task/Job: Scheduled Task â Persistence is maintained by creating a scheduled task that runs the stealer every five minutes. (âused to ensure persistence on the system by creating a scheduled taskâ)
- [T1055] Process Injection â The dropper injects code into pnx.exe process memory to execute the malicious loader. (âCode is then injected into the pnx.exe process memoryâ)
- [T1027] Obfuscated Files or Information â The campaign heavily uses obfuscation, including hidden command lines, encrypted code, and protected payloads. (âobfuscated commandâ / âcode is obfuscated and encrypted using PyArmor Proâ)
- [T1105] Ingress Tool Transfer â The malware downloads multiple archives, Python components, browser modules, and payloads from GitHub and attacker infrastructure. (âfetches several archives hosted in GitHub repositoriesâ)
- [T1071.001] Application Layer Protocol: Web Protocols â The stealer communicates with its C2 using HTTP/HTTPS endpoints and web requests. (âGET /get_taskâ / âPOST /report_statusâ)
- [T1119] Automated Collection â The malware continuously inventories files, scans for keys, and harvests browser and clipboard data. (âenumerates files and directoriesâ / âpolls the clipboard contents in an infinite loopâ)
- [T1115] Clipboard Data â The stealer collects clipboard contents and OTP secrets from the clipboard. (âbegins harvesting data from the system clipboardâ)
- [T1005] Data from Local System â Files, browser databases, Telegram data, and wallet files are collected from local storage. (âsweeps user directoriesâ / âharvests Telegram session and credential dataâ)
- [T1003.001] OS Credential Dumping: LSASS Memory Not Used; Browser Credential Storage â The stealer decrypts and steals Chromium and Firefox saved passwords. (âdecrypts stored passwords from Chromium-based browser databasesâ / âPK11SDR_Decryptâ)
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers â Browser login data and cookies are extracted from browser databases. (âextracts cookies using a workflow nearly identical to its browser credential theft routineâ)
- [T1041] Exfiltration Over C2 Channel â Stolen data is uploaded to the attacker-controlled C2 server. (âforwarded to the C2 serverâ / âexfiltrates it to the C2 serverâ)
- [T1021.002] Remote Services: SMB/Windows Admin Shares Not Used; Remote SSH Tunneling â The malware establishes a reverse SSH tunnel for remote access. (âinitiates a connection to a remote server controlled by the attackersâ)
- [T1106] Native API â Windows DPAPI and NSS functions are used to decrypt protected browser secrets. (âwin32crypt.CryptUnprotectData()â / âPK11SDR_Decrypt()â)
- [T1497.001] Virtualization/Sandbox Evasion: System Checks â The malware uses delayed execution and dynamic decryption to hinder analysis. (âpauses execution before triggering malicious routinesâ / âdecrypts its bytecode only at the exact moment a function is calledâ)
Indicators of Compromise
- [IP address ] C2 and tunnel infrastructure â 159.198.41.140, 159.198.32.222, and other 2 items
- [Domain ] C2 and tunneling endpoints â grked[.]online, winupdate[.]live, and other 5 items
- [File hash ] First-stage and stealer samples â 5D5C3E483C5E544260CE98FC29FBF192, C7622A1EFFA27BBFEE6D6E03D6474343, and other 17 items
- [File name ] Malicious archives, droppers, and payloads â psihologicheskiy_test.exe, module.pyw, and other 15 items
- [File name ] Persistence and data files â wh_selfdelete.vbs, run.vbs, chromium_passwords.json, and other 4 items
- [URL ] C2 tasking and tunnel creation â https://grked[.]online/tunnel/create/?username=[redacted], http://127.0.0.1:8000/?data_type=c
- [Registry / path ] Working and staging locations â RoamingWindowsHelperscreenshots.lock, $appdataWindowsHelper, and other 3 items
Read more: https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/