An emerging, unsophisticated threat actor it is spread various types of malware with the accounting report attracts a phishing campaign that relies on readily available malicious and legitimate software for its success.
According to researchers at digital risk management firm Bi.Zone, the active phishing campaign of a tracked actor like Fluffy Wolf demonstrates how even largely inexperienced threat actors can exploit malware-as-a-service models ( MaaS) to conduct successful cyber attacks. The campaign is currently aimed at Russian organizations, but could expand to other regions.
“Though mediocre in terms of technical expertise, these threat actors achieve their goals using only two sets of tools: legitimate remote access services and inexpensive malware,” according to separate posts published on both the company’s website and its website. Medium blog account.
To gain initial access to the targeted infrastructure, Fluffy Wolf – active since 2022 – impersonates a construction company to send phishing emails with attachments disguised as reconciliation reports, i.e. reports aimed at ensuring that different sets of accounting data are correct. Password-protected files hide a variety of malicious payloads; the main one is Meta Stealer, clone of the popular one RedLine Thief.
Fluffy Wolf is also spreading a variety of other malware, including legitimate software such as Remote Utilities, WarZone RAT, and XMRig Miner.
The group has so far carried out at least 140 attacks against companies in Russia, where phishing remains one of the most popular forms of first entry into corporate environments, researchers found.
“Phishing it was the weapon of choice for 68% of all targeted attacks against Russian organizations last year,” according to Bi.Zone. Additionally, at least 5% of employees of Russian companies open hostile attachments and click on links in emails phishing, making it easy to conduct a malicious campaign on a large scale, according to the company.
Metastealer malware
Once a business user clicks on the decoy document, included in emails titled “Reports to Sign,” the file executes various processes. One of these is launching the Remote Utilities loader to deliver a copy of Meta Stealer from an attacker-controlled command and control (C2) server.
The use of these two malware is crucial to the campaign as both are easily available to threat actors. Remote Utilities is a legitimate remote access tool, and Meta Stealer can be purchased on underground forums and Telegram channels for as little as $150 per month.
Remote Utilities allow the threat actor to gain complete control over a compromised device to track user actions, transmit files, execute commands, and interact with the task scheduler, among other tasks. “Threat actors continue to experiment with legitimacy remote access software to enrich their arsenal with new tools”, according to Bi.Zone.
Meanwhile, Meta Stealer steals sensitive data from infected devices, including user credentials and cookies from browsers similar to Chromium and Firefox, as well as data from the free FTP server program FileZilla, cryptocurrency wallets, and VPN clients. It then sends the data to the attacker’s C2.
Cyber defenses against Fluffy Wolf
The Fluffy Wolf campaign demonstrates how it is easier than ever for threat actors to attack systems using MaaS and other readily available software tools, so it is important that organizations use a variety of security solutions to protect themselves, according to Bi.Zone.
AS phishing remains a primary entry point for attackers, organizations should use managed email security services that prevent connection to the threat actor’s C2 server even if a business user clicks on a malicious email link or file .
Employing some kind of threat information platform within an organization to constantly maintain awareness of evolving malicious campaigns can also help an organization mitigate risks.
“To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and understand the threat landscape,” according to Bi.Zone.
To this end, Bi.Zone has included a list of indicators of compromise (IoC) and a MITER ATT&CK framework for the Fluffy Wolf phishing vector in its Medium blog post.