Bloody Wolf: Unmasking the Cyber Threat Targeting Kazakhstan with STRRAT Malware

Organizations in Kazakhstan are currently targeted by a sophisticated cyber threat activity cluster known as Bloody Wolf, which is deploying a commodity malware called STRRAT (also known as Strigoi Master).

Cybersecurity vendor BI.ZONE reports that this malware, sold for as little as $80 on underground forums, enables attackers to take control of corporate computers and exfiltrate restricted data.

The attack campaign primarily utilizes phishing emails to gain initial access. These emails masquerade as communications from the Ministry of Finance of the Republic of Kazakhstan and other government agencies, aiming to deceive recipients into opening attached PDF files. These files appear to be non-compliance notices and contain links to a malicious Java Archive (JAR) file, alongside an installation guide for the Java interpreter required for the malware to function.

To enhance the credibility of the attack, one of the links directs users to a web page associated with the official Kazakhstan government website, urging the installation of Java to ensure the portal's operability. The STRRAT malware is hosted on a fraudulent website mimicking the Kazakhstan government’s official site ("egov-kz[.]online"). Once executed, the malware achieves persistence on the Windows host by modifying the Registry and scheduling the JAR file to run every 30 minutes.

Additionally, a copy of the JAR file is placed in the Windows startup folder to ensure it launches automatically after a system reboot. Once active, the malware establishes connections with a Pastebin server to exfiltrate sensitive information, including details about the operating system version, installed antivirus software, and account data from browsers such as Google Chrome, Mozilla Firefox, and Internet Explorer, as well as email clients like Foxmail, Outlook, and Thunderbird.

STRRAT is also capable of receiving further commands from the server to download and execute additional payloads, log keystrokes, execute commands via cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.

BI.ZONE highlights that using less common file types like JAR files helps attackers bypass security defenses. Furthermore, utilizing legitimate web services such as Pastebin for communication with compromised systems allows the attackers to evade network security solutions effectively.