Between July and December 2024, the cyber espionage group known as Paper Werewolf, also referred to as GOFFEE, launched a series of targeted attacks against Russian organizations across various sectors, including mass media, telecommunications, construction, government entities, and energy. These operations introduced a new implant named PowerModul, marking a significant evolution in the group’s tactics.
Paper Werewolf has been active since at least 2022, conducting multiple campaigns primarily aimed at government, energy, financial, and media organizations. Their attack strategies have progressed from mere espionage to incorporating disruptive actions, such as altering employee account passwords to hinder organizational operations.
Attack Methodology
The group’s attacks typically commence with phishing emails containing malicious attachments. These attachments often appear as legitimate Microsoft Word documents embedded with macros. When recipients enable these macros, a PowerShell-based remote access trojan (RAT) known as PowerRAT is deployed. This RAT facilitates the download and execution of subsequent payloads, including customized versions of the Mythic framework agents, PowerTaskel and QwakMyAgent. Additionally, Paper Werewolf employs a malicious IIS module called Owowa to extract Microsoft Outlook credentials entered via the web client.
Introduction of PowerModul
In their latest campaign, Paper Werewolf utilized a more sophisticated approach by distributing RAR archive attachments containing executables disguised with double extensions (e.g., .pdf.exe or .doc.exe). Upon execution, these files display a decoy document to the user while simultaneously initiating the infection process in the background. The executable, often a patched Windows system file like explorer.exe or xpsrchvw.exe, includes malicious shellcode that communicates with the command-and-control (C2) server.
An alternative attack vector involves a RAR archive with a Microsoft Office document containing a macro that acts as a dropper for PowerModul. This PowerShell script-based backdoor can receive and execute additional scripts from the C2 server, enabling the attackers to maintain control over compromised systems.
Capabilities of PowerModul
PowerModul has been in use since early 2024, initially serving to download and execute PowerTaskel on infected hosts. Over time, its functionality has expanded to include:
– FlashFileGrabber: This tool steals files from removable media, such as USB flash drives, and exfiltrates them to the C2 server.
– FlashFileGrabberOffline: A variant that searches removable media for files with specific extensions and copies them to a local directory (%TEMP%\CacheStore\connect\) for later retrieval.
– USB Worm: Capable of infecting removable media with a copy of PowerModul, facilitating the spread of the malware to other systems.
PowerTaskel, functionally similar to PowerModul, not only executes PowerShell scripts from the C2 server but also collects information about the targeted environment and can escalate privileges using tools like PsExec.
Implications and Recommendations
The deployment of PowerModul by Paper Werewolf underscores the group’s evolving capabilities and their focus on Russian sectors. The use of sophisticated malware implants and multi-stage attack chains highlights the need for organizations to enhance their cybersecurity measures.
To mitigate such threats, organizations should:
1. Implement Advanced Email Filtering: Deploy solutions capable of detecting and blocking phishing emails with malicious attachments.
2. Educate Employees: Conduct regular training sessions to raise awareness about phishing tactics and the importance of not enabling macros in unsolicited documents.
3. Monitor Network Activity: Utilize intrusion detection systems to identify unusual network behavior indicative of malware communication with C2 servers.
4. Restrict Macro Execution: Configure systems to disable macro execution by default and only allow it for trusted documents.
5. Regularly Update Systems: Ensure that all software and operating systems are up to date with the latest security patches to reduce vulnerabilities.
By adopting these measures, organizations can strengthen their defenses against sophisticated cyber threats like those posed by Paper Werewolf and their PowerModul implant.
