Threat Research

Bloody Wolf Targets Kazakhstani Organizations with STRRAT Commercial Malware

Securonix

An operation dubbed Bloody Wolf targets Kazakhstani organizations by delivering STRRAT via phishing emails containing malicious PDFs that install the STRRAT Trojan. Once running, STRRAT can control the infected host, collect system and browser data, and even encrypt files with a .crimson extension while connecting to a C2 server.

Keypoints

  • The phishing email contains a PDF attachment posing as a non-compliance notice.
  • Links in the document redirect to a Java installation guide and malicious JAR files.
  • The malware, STRRAT, is hosted on a phishing site mimicking the Kazakhstan government (egov-kz.online).
  • STRRAT downloads dependencies, including keylogger libraries from GitHub.
  • It creates files for persistence and connects to a command and control (C2) server.
  • The malware collects system information and can execute commands from the C2 server.
  • STRRAT can control browsers, intercept keystrokes, manage startup programs, and encrypt user files with a .crimson extension.

MITRE Techniques

  • [T1566] Phishing – “Victims receive a phishing email with a PDF attachment posing as a non-compliance notice…”
  • [T1203] Malicious File Execution – “Malicious JAR files are downloaded and executed.”
  • [T1547] Persistence – “a scheduler task to run every 30 minutes” and “registry entries for persistence.”
  • [T1071] Command and Control – “Establishes connection to a C2 server for remote control.”
  • [T1082] System Information Discovery – “The malware collects information about the system, including the device name and supported languages.”
  • [T1555.003] Credentials in Web Browsers – “Collects account data from browsers and email clients.”
  • [T1486] Data Encrypted for Impact – “Encrypts user files and adds a .crimson extension.”
  • [T1056.001] Keylogging – “Intercept keystrokes using the system-hook library.”
  • [T1059] Command and Scripting Interpreter – “The malware can run Visual Basic, JavaScript, and WSF files with the command…” and related execution capabilities.

Indicators of Compromise

  • [Domain] – egov-kz.online – phishing resource mimicking the Kazakhstan government
  • [URL] – https://pastebin.com/raw/dFKy3ZDm:13570, https://pastebin.com/raw/dLzt4tRB:13569 – C2 access points
  • [File] – 1CUpdaterKZ.jar – malicious payload copied to user AppDataRoaming path
  • [File] – [port]lock.file – file indicating the port for C2 communication (placed in the user directory)
  • [Port] – 15270 – port used for C2 communications

Read more: https://bi.zone/eng/expertise/blog/bloody-wolf-primenyaet-kommercheskoe-vpo-strrat-protiv-organizatsiy-v-kazakhstane/