Organizations in Kazakhstan are the target of a threat activity cluster dubbed Bloody Wolf that delivers a commodity malware called STRRAT (aka Strigoi Master).
“The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data,” cybersecurity vendor BI.ZONE said in a new analysis.
The cyber attacks employ phishing emails as an initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other agencies to trick recipients into opening PDF attachments.
The file purports to be a non-compliance notice and contains links to a malicious Java archive (JAR) file as well as an installation guide for the Java interpreter necessary for the malware to function.
In an attempt to lend legitimacy to the attack, the second link points to a web page associated with the country’s government website that urges visitors to install Java in order to ensure that the portal is operational.
The STRRAT malware, hosted on a website that mimics the website of the Kazakhstan government (“egov-kz[.]online”), sets up persistence on the Windows host by means of a Registry modification and runs the JAR file every 30 minutes.
What’s more, a copy of the JAR file is copied to the Windows startup folder to ensure that it automatically launches after a system reboot.
Subsequently, it establishes connections with a Pastebin server to exfiltrate sensitive information from the compromised machine, including details about operating system version and antivirus software installed, and account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.
It’s also designed to receive additional commands from the server to download and execute more payloads, log keystrokes, run commands using cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.
“Using less common file types such as JAR enables the attackers to bypass defenses,” BI.ZONE said. “Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions.”