Organizations in Kazakhstan are being targeted by a threat group dubbed Bloody Wolf, which is distributing a commodity malware known as STRRAT (also called Strigoi Master).
“The program, available for as little as $80 on underground forums, allows adversaries to take control of corporate computers and access restricted data,” stated cybersecurity vendor BI.ZONE in a new analysis.
The cyber attacks begin with phishing emails that impersonate the Ministry of Finance of the Republic of Kazakhstan and other agencies, tricking recipients into opening PDF attachments. These files masquerade as non-compliance notices and contain links to a malicious Java archive (JAR) file and an installation guide for the Java interpreter needed for the malware to function.
To add legitimacy to the attack, the second link directs to a webpage associated with the government website, urging visitors to install Java to ensure the portal’s functionality.
The STRRAT malware, hosted on a website mimicking the Kazakhstan government website (“egov-kz[.]online”), achieves persistence on the Windows host through a Registry modification and executes the JAR file every 30 minutes. Additionally, a copy of the JAR file is placed in the Windows startup folder to ensure it launches automatically after a system reboot.
Once active, the malware connects to a Pastebin server to exfiltrate sensitive information from the compromised machine, including details about the operating system version, installed antivirus software, and account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird. It is also capable of receiving additional commands from the server to download and execute more payloads, log keystrokes, run commands via cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.
“Using less common file types such as JAR enables attackers to bypass defenses,” BI.ZONE noted. “Employing legitimate web services like Pastebin to communicate with the compromised system helps evade network security solutions.”
.){kind=link}