August 5, 2024 at 09:18AM
Kazakhstan organizations are under attack from a threat group called Bloody Wolf, distributing malware called STRRAT, allowing adversaries to control computers and access restricted data. The attacks use phishing emails impersonating government agencies to trick recipients. The malware sets up persistence on Windows machines, exfiltrating sensitive information and allowing the attackers to execute further malicious activities.
From the meeting notes dated August 5, 2024, it was discussed that organizations in Kazakhstan are facing targeted cyber threats from a group known as Bloody Wolf, which utilizes a commodity malware called STRRAT. This malware, available for as little as $80 on underground platforms, enables attackers to take control of corporate computers and access restricted data.
The cyber attacks are initiated through phishing emails that impersonate the Ministry of Finance of the Republic of Kazakhstan and other agencies. These emails contain PDF attachments with links to a malicious Java archive (JAR) file, along with an installation guide for the Java interpreter required for the malware to function.
Furthermore, the STRRAT malware, hosted on a website that mimics the Kazakhstan government’s website (“egov-kz[.]online”), establishes persistence on Windows hosts through Registry modifications and runs the JAR file every 30 minutes. It also exfiltrates sensitive information from compromised machines and can execute additional malicious payloads, log keystrokes, and carry out various commands.
The attackers employ less common file types like JAR to bypass defenses, and legitimate web services such as Pastebin to communicate with compromised systems, thereby evading network security solutions.
It was noted by cybersecurity vendor BI.ZONE that the use of these tactics and techniques poses a significant threat to organizations in Kazakhstan.