Targeted Cyber Attacks: Paper Werewolf’s PowerModul Implant Hits Russian Entities

Listen to this Post

In the ever-evolving world of cyber threats, the Paper Werewolf group, also known as GOFFEE, has continued its aggressive campaign against Russian organizations. Recent findings by cybersecurity giant Kaspersky reveal a fresh wave of activity attributed to this group, who have deployed a sophisticated new implant, PowerModul. The attacks, which took place between July and December 2024, have targeted sectors such as mass media, telecommunications, construction, government, and energy in Russia.

Paper Werewolf’s activities have been tracked back to at least 2022, with the group mounting several successful campaigns against various Russian industries. The group’s tactics go beyond espionage, utilizing not only malware but also disruptive techniques such as password alteration on employee accounts. The latest attacks demonstrate a clear shift towards increasingly sophisticated and elaborate methods of infiltration, with PowerModul at the center of these campaigns.

the Attacks and Malware Techniques

The initial vector for Paper Werewolf’s attacks typically involves phishing emails, which carry macro-laden documents. Once opened and macros are enabled, these documents deliver a PowerShell-based remote access trojan (RAT), known as PowerRAT. This trojan is designed to deploy additional payloads, including versions of the Mythic framework agent, PowerTaskel and QwakMyAgent. Another tool in their arsenal is a malicious IIS module called Owowa, which allows attackers to retrieve Microsoft Outlook credentials from web clients.

The most recent attack chains, as detailed by Kaspersky, involve a malicious RAR archive containing an executable disguised as a PDF or Word document. Once the executable is launched, a decoy file appears on the user’s screen, while in the background, the malware progresses to the next stage of the infection. The malware in these attacks is particularly sophisticated—Windows system files such as explorer.exe or xpsrchvw.exe are patched with malicious shellcode, which is often linked to Mythic agents communicating with command-and-control (C2) servers.

Another, more complex attack technique involves the use of a Microsoft Office document with a malicious macro acting as a dropper for PowerModul, which can execute additional scripts received from the C2 server. The implants delivered via PowerModul have been varied, including tools like FlashFileGrabber, designed to steal files from removable media, and USB Worm, which infects USB drives with copies of PowerModul.

One of the most alarming aspects of these attacks is the use of tools that can escalate privileges on infected systems. PowerTaskel, for example, can send check-in messages back to the C2 server, gather information about the targeted environment, and execute commands remotely. PowerTaskel’s functionality has been extended to include a component for gathering files over network protocols, such as SMB, allowing attackers to harvest more sensitive information from compromised systems.

What Undercode Say:

Paper Werewolf’s evolving tactics highlight an increasingly sophisticated level of cyber warfare targeting Russian industries. The group’s reliance on tools like PowerModul and PowerTaskel signals a shift towards more persistent and stealthy forms of attack, capable of executing multi-stage operations and facilitating the exfiltration of valuable data over extended periods. This is not merely a case of espionage—it’s a calculated attempt to disrupt operations, compromise sensitive data, and potentially weaken critical sectors of the Russian economy.

The group’s move away from PowerTaskel and its adoption of more advanced Mythic agents demonstrates a constant push towards avoiding detection. The use of shellcode to infect system files like explorer.exe is a particularly concerning development, as it enables attackers to bypass traditional detection methods, thus increasing the likelihood of successful intrusions. These increasingly sophisticated techniques are part of a broader trend in cybercriminal and state-sponsored hacking operations, where precision, stealth, and persistence are paramount.

Furthermore, the integration of USB-based malware such as FlashFileGrabber and USB Worm emphasizes the need for organizations to consider all potential vectors for malware delivery. While email phishing remains a primary attack method, attackers are now exploiting other vectors, such as USB drives, to compromise systems in an offline manner, making detection and remediation more difficult.

The focus on Russian organizations is notable and could suggest a broader geopolitical agenda behind these attacks. By targeting key sectors such as energy, telecommunications, and government, Paper Werewolf could be attempting to destabilize critical infrastructure, which could have far-reaching consequences beyond mere data theft.

Fact Checker Results:

1.

2. Historical Attack Trends: Paper

  1. Targeting of Critical Sectors: The attacks focus on high-value sectors in Russia, consistent with the group’s historical targets, making it clear that the aim is to disrupt essential services and infrastructure.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image