From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting  Russian Aerospace Organizations  

From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting  Russian Aerospace Organizations  
Seqrite reports a spear-phishing campaign impersonating the Russian research institute ФБУ “ВНИИР” to deliver a password-protected archive that stages AnyDesk, Blat, and Tray Minimizer for persistent remote access and data exfiltration. The tradecraft closely matches Rare Werewolf (Librarian Ghouls), with related infrastructure such as vniir-avia.space, mail.versio.nl, and attacker use of AnyDesk configuration theft. #RareWerewolf #LibrarianGhouls #AnyDesk #Blat #TrayMinimizer #VNIIR

Keypoints

  • The campaign begins with a spear-phishing email impersonating ФБУ “ВНИИР” and using a fresh lookalike domain, vniir-avia.space.
  • The email contains a password-protected RAR archive named “счет на оплату.rar” with the password included in the message body.
  • The extracted dropper opens a decoy PDF, creates temporary files, and downloads additional payloads from command-and-control infrastructure.
  • The malicious archive deploys portable AnyDesk, Blat, Tray Minimizer, and a batch script to continue the attack chain.
  • The script configures unattended AnyDesk access with a preset password, creates a scheduled task for persistence, and hides traces by deleting temporary artifacts.
  • AnyDesk configuration data is packed into AnyDesk.rar and exfiltrated over SMTP using Blat to attacker-controlled mail infrastructure.
  • The observed tradecraft aligns with Rare Werewolf (Librarian Ghouls), though the analysis did not observe cryptojacking in this sample.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Used a targeted email with a password-protected archive attachment to deliver the initial payload [‘The email contains a password-protected archive named счет на оплату.rar.’]
  • [T1204.002] User Execution: Malicious File – Relied on the recipient opening and executing the attached archive and extracted files [‘to open it and so scanners cannot inspect content’]
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used .cmd and batch scripts to execute downloader, extraction, persistence, and cleanup actions [‘it also runs the batch file’, ‘xml_file.cmd is trying to connect to the C2’]
  • [T1059.001] Command and Scripting Interpreter: PowerShell – The report’s MITRE mapping states PowerShell was used, indicating script-based execution was part of the campaign [‘Command and Scripting Interpreter: PowerShell’]
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Created a scheduled task named “Auto apdate” to run at user logon for persistence [‘Creates a scheduled task named “Auto apdate” that executes Trays.exe -tray at user logon’]
  • [T1547] Boot or Logon Autostart Execution – Achieved autostart by using a scheduled task that launches on logon [‘at user logon’]
  • [T1036] Masquerading – Impersonated a legitimate Russian institute and used lookalike domains to appear trusted [‘The phishing email impersonates a legitimate Russian research institute’, ‘freshly registered’]
  • [T1027] Obfuscated Files or Information – Used password-protected archives to prevent inspection by security tools [‘The password was placed in the email body so the victim can open it and so scanners cannot inspect content’]
  • [T1564.003] Hide Artifacts: Hidden Window – Used Tray Minimizer to conceal the AnyDesk interface and reduce visibility [‘additional utilities such as Tray Minimizer are used to reduce user visibility’, ‘conceal the remote access activity’]
  • [T1070.004] Indicator Removal on Host: File Deletion – Deleted temporary scripts, archives, executables, and PDFs to reduce forensic evidence [‘Deletes temporary command (.cmd), text (.txt), archive (.rar), executable (.exe), and PDF (*.pdf) files’]
  • [T1071.001] Application Layer Protocol: Web Protocols – Downloaded the malicious RAR file from C2 using web-based retrieval logic [‘connect to the C2 to download the malicious rar file’]
  • [T1219] Remote Access Software – Deployed and configured AnyDesk for unattended remote access [‘establish persistent remote access by silently configuring AnyDesk for unattended access’]
  • [T1560] Archive Collected Data – Packed AnyDesk configuration and related files into an archive before exfiltration [‘Creates archive AnyDesk.rar with password limpid2903392 containing configuration files’]
  • [T1005] Data from Local System – Collected AnyDesk service.conf and system.conf files from the infected host [‘These are the contents of AnyDesk’s service.conf and system.conf files’]
  • [T1020] Exfiltration Over Alternative Protocol: Exfiltration Over Email – Sent the archive out via SMTP using Blat [‘The archive is subsequently exfiltrated via SMTP using Blat’]

Indicators of Compromise

  • [SHA-256 hash ] malicious or related files – 47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4, 12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33, and 2 more hashes
  • [IP address ] infrastructure observed in the campaign – 198.54.120[.]13, 194.87.57[.]81, and 2.23.88[.]201
  • [Domain ] spoofing, staging, and exfiltration infrastructure – vniir-avia[.]space, fgub-vniir[.]space, aviatronika[.]online
  • [Domain ] additional related infrastructure – vniir-info[.]space, nova-stream[.]site
  • [Email address ] phishing and SMTP exfiltration accounts – [email protected], [email protected], and [email protected]
  • [File name ] malicious attachment, batch scripts, and archives – счет на оплату.rar, wctF522.bat, AnyDesk.rar
  • [Tool / executable ] abused legitimate utilities – blat.exe, Trays.exe, driver.exe
  • [Password ] archive and AnyDesk configuration passwords – dsa9568-4444, QWERTY1234566, and limpid2903392


Read more: https://www.seqrite.com/blog/from-invoice-to-anydesk-uncovering-a-phishing-campaign-targeting-russian-aerospace-organizations/