In a series of meticulously orchestrated cyberattacks, the threat actor known as NoisyBear has targeted Kazakhstan’s energy sector, particularly focusing on KazMunaiGas (KMG), the nation’s leading oil and gas company. These attacks, initiated in April 2025 and intensifying through May 2025, employ sophisticated phishing techniques and advanced malware deployment strategies to infiltrate critical infrastructure.
Phishing Tactics and Initial Compromise
NoisyBear’s campaign begins with highly crafted phishing emails that mimic legitimate internal communications. These emails, often concerning salary schedules and policy updates, are sent from compromised KMG business email accounts, lending an air of authenticity that increases the likelihood of employee engagement. The emails contain ZIP file attachments disguised as urgent human resources documents, enticing recipients to open them.
Infection Chain and Malware Deployment
Upon opening the malicious ZIP file, recipients encounter three components:
1. Decoy Document: A file bearing the official KazMunaiGas logo, designed to appear legitimate.
2. README.txt File: Provides instructions that guide the user to execute the malicious content.
3. Weaponized LNK File: Named График зарплат.lnk (Salary Schedule.lnk), this shortcut file is the primary vector for malware deployment.
Executing the LNK file triggers a PowerShell command that downloads a batch script (123.bat) from a remote server. This script is saved in the C:\Users\Public directory, a location chosen to minimize security scrutiny. The batch script then downloads additional PowerShell scripts, referred to as DOWNSHELL by researchers.
Advanced Evasion Techniques
The DOWNSHELL scripts employ sophisticated evasion methods to bypass security measures:
– AMSI Bypass: The scripts manipulate the System.Management.Automation.AmsiUtils class, setting the amsiInitiFailed flag to disable the Anti-Malware Scan Interface (AMSI), thereby evading real-time scanning.
– Process Injection: Utilizing process injection techniques, the malware injects code into legitimate processes, making detection and analysis more challenging.
Infrastructure and Attribution
Analysis of NoisyBear’s infrastructure reveals connections to Aeza Group LLC, a sanctioned hosting provider. This association suggests deliberate attempts to operate within jurisdictions that complicate attribution and takedown efforts. Additionally, Russian language comments within the malicious code and targeting patterns consistent with geopolitical interests in Central Asian energy resources indicate potential Russian origins.
Implications and Recommendations
The NoisyBear campaign poses significant risks to Kazakhstan’s energy infrastructure, including:
– Data Exfiltration: Potential exposure of sensitive corporate communications, strategic planning documents, and operational data.
– Operational Disruption: The possibility of disrupting critical national infrastructure and economic stability.
To mitigate these threats, organizations are advised to:
– Enhance Email Security: Implement advanced email filtering solutions to detect and block phishing attempts.
– Employee Training: Conduct regular cybersecurity awareness training to help employees recognize and report phishing emails.
– System Hardening: Apply the principle of least privilege, regularly update software, and monitor network traffic for unusual activity.
By adopting these measures, organizations can strengthen their defenses against sophisticated threat actors like NoisyBear.
