Ethical Hacking News
Paper Werewolf, a notorious threat actor known for its sophisticated tactics and techniques, has been linked to a recent series of targeted cyberattacks against Russian entities. A new report from Kaspersky reveals the attack chain used by Paper Werwolf, including phishing emails, PowerShell-based remote access trojans, and custom-made malware payloads. To stay ahead of this threat actor's attacks, organizations must remain vigilant and proactive in their cybersecurity posture.
The Paper Werewolf threat actor, also known as GOFFEE, was identified as the perpetrator behind a series of targeted cyberattacks against Russian entities. The attacks used phishing emails, PowerShell-based remote access trojans, and custom-made malware payloads to gain unauthorized access to sensitive information. The primary goal of Paper Werewolf was to steal credentials, files, and other valuable data from targeted organizations in various sectors. The attack chain initiated with a malicious RAR archive attachment containing an executable that masqueraded as a PDF or Word document. The shellcode contained an obfuscated Mythic agent that communicated with the command-and-control server, allowing Paper Werewolf to deploy and execute PowerShell scripts. PowerModul, a PowerShell script, was used to deploy various malware payloads, including FlashFileGrabber for stealing files from removable media. The threat actor's use of custom-made malware payloads and PowerShell-based remote access trojans demonstrates their advanced level of sophistication.
The threat actor known as Paper Werewolf, also referred to as GOFFEE, has been identified as the perpetrator behind a recent series of targeted cyberattacks against Russian entities. In a new report published by Kaspersky, the threat actor's tactics and techniques have been thoroughly analyzed, revealing a sophisticated attack chain that utilizes a combination of phishing emails, PowerShell-based remote access trojans, and custom-made malware payloads.
The attacks, which took place between July and December 2024, targeted organizations in the mass media, telecommunications, construction, government entities, and energy sectors. The threat actor's primary goal was to gain unauthorized access to sensitive information, including credentials, files, and other valuable data. To achieve this objective, Paper Werewolf employed a range of tactics, including distributing malware for espionage purposes, changing passwords belonging to employee accounts, and using phishing emails as the initial vector.
The attack chain initiated by Paper Werewolf began with a malicious RAR archive attachment containing an executable that masqueraded as a PDF or Word document. When launched, the decoy file was downloaded from a remote server and shown to the user, while the infection proceeded to the next stage in the background. The file itself was a Windows system file (explorer.exe or xpsrchvw.exe) with part of its code patched with a malicious shellcode.
The shellcode contained an obfuscated Mythic agent, which immediately began communicating with the command-and-control (C2) server. This payload delivery mechanism allowed Paper Werewolf to deploy and execute PowerModul, a PowerShell script capable of receiving and executing additional PowerShell scripts from the C2 server.
One of the key payloads deployed by PowerModul was FlashFileGrabber, a tool used to steal files from removable media, such as flash drives, and exfiltrate them to the C2 server. Another variant, FlashFileGrabberOffline, searched for specific file extensions on removable media and copied them to the local disk within a designated folder.
Furthermore, PowerModul was also found to be capable of infecting removable media with a copy of itself, using the USB Worm payload. This allowed Paper Werewolf to create a self-sustaining infection vector, making it increasingly difficult for affected organizations to detect and mitigate the attack.
The threat actor's use of custom-made malware payloads and PowerShell-based remote access trojans highlights their advanced level of sophistication and dedication to achieving their objectives. The deployment of PowerModul implant also underscores the need for organizations to remain vigilant and proactive in their cybersecurity posture, particularly when dealing with targeted attacks.
In conclusion, the latest findings from Kaspersky's report have shed light on the tactics and techniques employed by Paper Werewolf threat actor in its recent cyberattacks against Russian entities. As organizations continue to navigate the complex landscape of cybersecurity threats, it is essential that they prioritize education, awareness, and proactive measures to prevent such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-PowerModul-Implant-Deployed-by-Paper-Werewolf-Threat-Actor-A-Comprehensive-Analysis-ehn.shtml
https://thehackernews.com/2025/04/paper-werewolf-deploys-powermodul.html
Published: Fri Apr 11 09:12:27 2025 by llama3.2 3B Q4_K_M
