Friend
Professional
- Messages
- 2,658
- Reaction score
- 864
- Points
- 113
Russian defense enterprises are in the crosshairs of hackers.
F.A.C.C.T. Threat Intelligence specialists have identified a new cyberattack targeting enterprises of the Russian military-industrial complex. The attackers used the malicious file "17_09_2024.msc", disguised as a letter from the Ministry of Labor of the Russian Federation.
Initially, experts suggested that the well-known Sticky Werewolf cybercriminal group, which had previously used similar methods, was behind the attack. However, further analysis revealed that the attack is being carried out by a new group dubbed MimiStick.
When the file '17_09_2024.msc' is opened, a series of commands are run to extract the packed content. As a result, a file %localappdata%\xrks.t is created with a batch file inside. Next, commands are executed to detect the packed load at the end of the bat file. The workload is a base64 string starting with the substring "VqQAAMAAAEAEAAA//8AALgAA". The load is decoded and stored in a %Temp%\xkiq.txt file.
It is then renamed to %Temp%\wqhe.exe, the original th.txt file is deleted, and the file is wqhe.exe run.
The load contains a PDF decoy in the resources, which is stored as %Temp%\17_09_2024_0.pdf and opened. The contents of the lure are similar to the documents used by the Sticky Werewolf group in March 2024.
After opening the lure, the load is triggered by an encrypted shellcode. It is a stager that downloads and starts the second stage from a remote node. As a second stage, a Sliver implant with C2 is used: techitzone[.]ru:443.
Domain techitzone[.]ru was registered on September 2, 2024. F.A.C.C.T. experts discovered several additional domains associated with the attacker:
Of particular interest is the domain min-trud-gov[.]ru, imitating the domain of the Ministry of Labor of Russia. It was recorded recently and corresponds to the legend of the lure from the September attack. Experts suggest that this domain may be used in the near future to conduct phishing mailings.
F.A.C.C.T. Threat Intelligence specialists have identified a new cyberattack targeting enterprises of the Russian military-industrial complex. The attackers used the malicious file "17_09_2024.msc", disguised as a letter from the Ministry of Labor of the Russian Federation.
Initially, experts suggested that the well-known Sticky Werewolf cybercriminal group, which had previously used similar methods, was behind the attack. However, further analysis revealed that the attack is being carried out by a new group dubbed MimiStick.
When the file '17_09_2024.msc' is opened, a series of commands are run to extract the packed content. As a result, a file %localappdata%\xrks.t is created with a batch file inside. Next, commands are executed to detect the packed load at the end of the bat file. The workload is a base64 string starting with the substring "VqQAAMAAAEAEAAA//8AALgAA". The load is decoded and stored in a %Temp%\xkiq.txt file.
It is then renamed to %Temp%\wqhe.exe, the original th.txt file is deleted, and the file is wqhe.exe run.
The load contains a PDF decoy in the resources, which is stored as %Temp%\17_09_2024_0.pdf and opened. The contents of the lure are similar to the documents used by the Sticky Werewolf group in March 2024.
After opening the lure, the load is triggered by an encrypted shellcode. It is a stager that downloads and starts the second stage from a remote node. As a second stage, a Sliver implant with C2 is used: techitzone[.]ru:443.
Domain techitzone[.]ru was registered on September 2, 2024. F.A.C.C.T. experts discovered several additional domains associated with the attacker:
- about-tech[.]ru (registered on 07.12.2023)
- orkprank[.]ru (Registered on 18.06.2024)
- borosan[.]ru (Created on 15.07.2024)
- mysafer[.]ru (Registered on 05.07.2024)
- rtxcore[.]ru (Registered on 02.09.2024)
- min-trud-gov[.]ru (Registered on 23.09.2024)
Of particular interest is the domain min-trud-gov[.]ru, imitating the domain of the Ministry of Labor of Russia. It was recorded recently and corresponds to the legend of the lure from the September attack. Experts suggest that this domain may be used in the near future to conduct phishing mailings.
