In a sophisticated phishing campaign uncovered by the BI.ZONE Threat Intelligence team, the Squid Werewolf group, also known as APT37, has been impersonating recruiters to target key employees in various organizations.
This espionage cluster uses fake job opportunities to lure victims into opening malicious attachments, which ultimately lead to system compromise and data theft.
Phishing Tactics and Techniques
The attack begins with a phishing email that appears to be a job offer from a legitimate company, often using recognizable logos to enhance credibility.
The email contains a password-protected ZIP archive named “Предложение о работе.zip,” which includes a malicious LNK file disguised as a PDF document.
Once opened, this LNK file executes a PowerShell command that decodes a Base64-encoded payload, leading to the creation of several files, including d.exe, d.exe.config, and DomainManager.dll.
These files are placed in the system’s startup folder to ensure persistence.
The d.exe file is a renamed version of the legitimate dfsvc.exe, used to masquerade as a system utility.
The PowerShell command also triggers the execution of a .NET loader, which is obfuscated using Obfuscar.
This loader checks for internet connectivity and employs time-based evasion techniques to avoid detection in sandbox environments.
It further decrypts and executes payloads encrypted with AES128 CBC, either from a local file or downloaded from a remote server.
The loader modifies registry settings to disable autorun from the startup folder, ensuring stealthy operation.
mngs Attachement.pdfMitigation and Detection
According to the Report, To protect against such threats, organizations are advised to implement robust email protection solutions that can analyze and block suspicious attachments and links.
Advanced threat detection tools like Endpoint Detection and Response (EDR) systems are crucial for identifying and mitigating these sophisticated attacks.
BI.ZONE’s EDR offers specific detection rules for suspicious PowerShell activity and file creation in startup folders, which can help in early detection of Squid Werewolf’s tactics.
The Squid Werewolf group’s use of advanced obfuscation techniques and encryption highlights the evolving nature of cyber threats.
Staying informed about the latest tactics and tools used by threat actors is essential for maintaining effective cybersecurity strategies.
By leveraging threat intelligence and implementing comprehensive security measures, organizations can better safeguard their systems and data against these sophisticated phishing campaigns.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
