Kazakhstani establishments are under siege from a malevolent campaign known as Bloody Wolf that distributes a common malware named STRRAT (also recognized as Strigoi Master).
A recent analysis by cybersecurity provider BI.ZONE stated that this malicious software, which can be purchased for as little as $80 from underground sources, enables threat actors to gain authority over business computers and seize confidential information.
The cyber assaults utilize deceptive emails as the primary tactic, masquerading as communications from the Ministry of Finance of the Republic of Kazakhstan and other official bodies to deceive recipients into accessing PDF attachments.
The attachment, posing as a notice of non-compliance, includes references to a harmful Java archive (JAR) file along with instructions on installing the Java interpreter required for the malware to operate.
To add authenticity to the attack, the second link directs to a webpage linked with the country’s government portal, advising users to set up Java to ensure the site functions correctly.
The STRRAT malware, obtainable from a website that mimics the Kazakhstan government’s site (“egov-kz[.]online”), establishes a foothold on Windows systems by altering the registry and executes the JAR file every half hour.
Additionally, a duplicate of the JAR file is placed in the Windows startup directory to ensure it launches automatically following a system restart.
Subsequently, it establishes communication with a Pastebin server to steal sensitive data from the infiltrated device, including information about the operating system version, installed antivirus software, and account details from browsers like Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.
Moreover, it is programmed to accept commands from the server to download and initiate additional payloads, log keystrokes, execute commands through cmd.exe or PowerShell, restart or power down the system, install a proxy, and self-delete.
“By utilizing less conventional file formats like JAR, the attackers can circumvent security measures,” stated BI.ZONE. “Employing legitimate online services such as Pastebin for communication with the affected target allows them to evade network security mechanisms.”
About Author
