Scaly Wolf operated an infostealer campaign against Russian organizations by delivering the White Snake malware through phishing emails that used password-protected archives. The lures shifted from Roskomnadzor-themed messages to other agencies and prosecutors, with the payload often concealed inside archives and executable files. #ScalyWolf #WhiteSnake #Roskomnadzor #InvestigativeCommitteeRF #GeneralProsecutorRF
Keypoints
- June 2023 marks Scaly Wolf’s first activity targeting Russian organizations via Roskomnadzor-themed phishing, delivering a disguised infostealer inside a password-protected archive.
- July 2023 campaign impersonated the RF Investigative Committee, distributing password-protected ZIPs containing documents and an executable payload.
- August 2023 attackers continued using the RF Investigative Committee lure with password-protected archives containing documents and an executable.
- September 1, 2023 attack wave shifted to commercial-offer phishing; some payloads delivered via CMD-script executions (CMD).
- October 2023 campaigns reused RF Investigative Committee themes with PDFs and executables attached in archives.
- November 2023 waves included court-order themes and subsequent archives with executables; later in the month resumed demands from the RF Investigative Committee with accompanying documents.
- January 2024 the campaign returned to impersonating the Main Military Prosecutor’s Office, continuing password-protected archives and embedded executables.
MITRE Techniques
- [T1566.001] Phishing – The victim receives phishing emails with password-protected archives containing the White Snake payload. Quote: “the victim received a phishing email with an archive named ‘Требование Роскомнадзор № 02‑12143(пароль‑12121212).rar’ containing the following files.”
- [T1036] Masquerading – The second file was disguised as an attachment to harmless documents, but in fact was an infostealer. Quote: “второй файл был замаскирован под приложение к безвредным документам, хотя по факту являлся инфостилером.”
- [T1059.003] Command and Scripting Interpreter – Windows Command Shell used to run the payload via a CMD script. Quote: “C:Windowssystem32cmd.exe /c “”C:UsersadminAppDataLocalTempRar$DIa1872.39116КП 12119- тех.док.cmd””.”
- [T1560.001] Archive Collected Data – Password-protected archives delivered with the payload and documents. Quote: “ПАРОЛЬ — 123123123.zip” (PASSWORD — 123123123.zip).
Indicators of Compromise
- [File name] context – example: “Требование РОСКОМНАДЗОР № 02‑odt” and “РОСКОМНАДЗОР.png” and 2 more items
- [Document] context – example: “Права и обязанности и процедура ст.164, 170, 183 УПК РФ.rtf” and “Запрос следователя (уклонение от уплаты налогов) — копия.pdf”
- [Executable] context – example: “Перечень юридических лиц и физических лиц в рамках уклонения, сумы уклонения.exe” and “Постановление о производстве выемки (электронная подпись).exe”
- [Archive] context – example: “Запрос ГСУ СК РФ Уклонение от налогов № 7711 от 18.07.2023 пароль 12121313.zip” and “Требование CK от 08.08.23 пароль — 123123123.zip”