Organizations in Kazakhstan are being targeted by a cluster of threat activities. Bloody Wolf It delivers a commodity malware called STRRAT (aka Strigoi Master).
“The program, which sells for as little as $80 underground, allows adversaries to take control of a company’s computers and hijack restricted data,” cybersecurity vendor BI.ZONE said in a new analysis.
The cyberattacks use phishing emails as an initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other organizations in an attempt to trick recipients into opening PDF attachments.
The file disguises itself as a non-compliance notice and contains a link to a malicious Java Archive (JAR) file along with installation instructions for the Java interpreter required for the malware to function.
To lend legitimacy to the attack, the second link points to a webpage related to the country’s government website, urging visitors to install Java to ensure the portal works.
Hosted on a website mimicking the Kazakhstan government website (“egov-kz(.)online”), the STRRAT malware establishes persistence on the Windows host through registry modifications and executes a JAR file every 30 minutes.
Additionally, a copy of the JAR file will be copied to the Windows startup folder to ensure that it will start automatically after a system reboot.
It then establishes a connection with a Pastebin server and steals sensitive information from the compromised machine, including details about the operating system version, installed antivirus software, and account data for Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook and Thunderbird.
It is also designed to receive additional commands from the server to download and execute more payloads, log keystrokes, execute commands using cmd.exe or PowerShell, reboot or shut down the system, install a proxy or remove itself.
“Using less common file formats such as JAR allows attackers to evade defenses,” BI.ZONE states. “Using legitimate web services such as Pastebin to communicate with compromised systems allows them to evade network security solutions.”
