EXECUTIVE SUMMARY
Paper Werewolf, a threat actor known for its complex and evolving attack chains, has been identified conducting a phishing campaign targeting Russian industrial and financial organizations. The attackers distribute emails with PDF attachments containing a link to a ZIP file download, which conceals an Inno Setup installer executable that stealthily extracts and launches the EchoGather remote access trojan and a PDF decoy. Once inside, the malware enables file collection from local and network drives and removable media, extracts data from the Telegram messenger, and exfiltrates credentials stored in web browsers. The threat actor maintains covert access to compromised environments and evades detection for longer periods.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Paper Werewolf, a threat actor known for its complex and evolving attack chains, has been identified conducting a phishing campaign targeting Russian industrial and financial organizations. The attackers distribute emails with PDF attachments containing a link to a ZIP file download, which conceals an Inno Setup installer executable that stealthily extracts and launches the EchoGather remote access trojan and a PDF decoy. Once inside, the malware enables file collection from local and network drives and removable media, extracts data from the Telegram messenger, and exfiltrates credentials stored in web browsers. The threat actor maintains covert access to compromised environments and evades detection for longer periods.[emaillocker id="1283"]
The attack chain involves the use of phishing PDFs, Inno Setup installers, and a variety of loaders and downloaders to deliver malicious payloads. The malware uses custom loaders and downloaders written in C++, C#, Python, and JavaScript to maintain persistence and evade detection. The EchoGather RAT allows adversaries to collect compromised system information, including local IP address, computer name, username, process ID (PID), and the path to the running file. The malware also loads files to/from the C2 server and executes incoming commands via the cmd.exe interpreter.
This threat is significant for organizations due to its ability to evade detection and maintain covert access to compromised environments. The use of custom loaders and downloaders, combined with the ability to exfiltrate sensitive data, makes it difficult for organizations to detect and recover from this threat. To defend against this threat, organizations should prioritize patching, monitoring, and backups. Endpoint protection and network segmentation can also help prevent the spread of malware and detect suspicious activity.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1083 | File and Directory Discovery | — |
| Discovery | T1057 | Process Discovery | — |
| Discovery | T1082 | System Information Discovery | — |
| Lateral Movement | T1021.003 | Remote Services | Distributed Component Object Model |
| Collection | T1113 | Screen Capture | — |
| Collection | T1025 | Data from Removable Media | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/paper-werewolf-espionage-campaign-papergrabber-echogather-malware/
https://bi.zone/eng/expertise/blog/kamen-nozhnitsy-bumaga-novyy-instrumentariy-v-atakakh-klastera-paper-werewolf/