Bloody Wolf Intensifies Cyber Attacks in Uzbekistan and Russia Using NetSupport RAT
The cyber threat group known as Bloody Wolf has escalated its malicious activities, targeting organizations in Uzbekistan and Russia with the deployment of the NetSupport Remote Access Trojan (RAT). This campaign, active since at least 2023, has primarily focused on sectors such as manufacturing, finance, and information technology across Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan.
Recent reports indicate that approximately 50 victims in Uzbekistan and 10 in Russia have been affected by this campaign. Additional infections have been identified in countries including Kazakhstan, Turkey, Serbia, and Belarus. Notably, the attacks have also targeted government organizations, logistics companies, medical facilities, and educational institutions.
Kaspersky, a leading cybersecurity firm, has been monitoring this activity under the alias Stan Ghouls. The firm suggests that the primary motive behind these attacks is financial gain, given the focus on financial institutions. However, the extensive use of RATs also points to potential cyber espionage objectives.
The attack methodology employed by Bloody Wolf involves spear-phishing emails containing malicious PDF attachments. These PDFs include links that, when clicked, initiate the download of a malicious loader. This loader performs several functions:
– Displays a fake error message to deceive the victim into believing the application cannot run on their system.
– Checks if the number of previous RAT installation attempts is less than three. If the limit is reached, it displays an error message stating, Attempt limit reached. Try another computer.
– Downloads the NetSupport RAT from external domains and executes it.
– Ensures the RAT’s persistence by configuring an autorun script in the Startup folder, adding a launch script (run.bat) to the Registry’s autorun key, and creating a scheduled task to execute the same batch script.
Interestingly, Kaspersky has also discovered Mirai botnet payloads on infrastructure associated with Bloody Wolf. This suggests that the group may be expanding its malware arsenal to target Internet of Things (IoT) devices.
The scale of this campaign is significant, with over 60 targets affected. This high volume underscores the substantial resources that Bloody Wolf is investing in its operations.
This development coincides with a series of cyber campaigns targeting Russian organizations. For instance, the group known as ExCobalt has been exploiting known security vulnerabilities and using credentials stolen from contractors to gain initial access to target networks. These attacks are characterized by the use of various tools and attempts to extract credentials from compromised hosts.
In summary, the activities of Bloody Wolf highlight the evolving and persistent nature of cyber threats in the region. Organizations are urged to enhance their cybersecurity measures, conduct regular security audits, and educate employees about the risks associated with phishing emails to mitigate potential threats.
