Core Werewolf Group's Attempted Attack on Russian Military Base

The experts from FACCT company discovered a malicious file uploaded to VirusTotal from Armenia, which could be linked to the cyber espionage group Core Werewolf. The presumed target of the attack was the 102nd Russian military base. The file was a self-extracting 7zSFX archive designed for stealthy installation and execution of the legitimate remote access program UltraVNC.

The Core Werewolf group (also known as PseudoGamaredon) actively targets Russian organizations related to the defense industry complex and critical information infrastructure. The group was first detected in August 2021. In March of this year, they targeted a Russian research institute involved in weapon development, and in early April, they attacked a Russian defense plant.

Experts believe that this time the target was specifically the military base, as the lure document (perevod.pdf) used pretended to be a petition related to honoring individuals with state awards, including the “Order of Courage” for servicemen distinguished during military operations. The mentioned 102nd base is located in the Armenian city of Gyumri, from where the file was uploaded to VirusTotal on April 15, 2024.

Based on the date and time of the last modification of files contained in the 7zSFX archive, researchers suggest that the attack began before April 15, 2024.

As mentioned earlier, for covert remote access to compromised systems, Core Werewolf utilizes the legitimate tool UltraVNC version 1.2.0.5, which also features an application icon resembling OneDrive. A similar sample was used in other attacks as well.

For the C&C server, the perpetrators used the domain mailcommunity[.]ru, which was registered a year ago simultaneously with another group domain that was active in the 2023 campaign. A day before the domain’s expiration, the attackers renewed it for another year and used it on the same day to conduct attacks.

Fragment of the Core Werewolf infrastructure

In their report, specialists also identified malicious executable files uploaded from Russia to VirusTotal in March and April 2024. These files are previously undescribed droppers written in Go. The droppers have identical functionalities and are intended for stealthy installation and running of the UltraVNC client. Moreover, the configuration file and UltraVNC client match the described files in hash sums, and the same domain (mailcommunity[.]ru) is once again used as the C&C server.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment