Fluffy Wolf Spreads Meta Stealer in Corporate Phishing Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


Fluffy Wolf Spreads Meta Stealer in Corporate Phishing Campaign


Unsophisticated threat actor is targeting Russian companies with both readily available malware and authentic software.



An emerging and unsophisticated threat actor is
spreading various types of malware
with accounting report lures in a phishing campaign that relies on readily available malicious and legitimate software for its success.
The active phishing campaign by an actor tracked as Fluffy Wolf demonstrates how even largely unskilled threat actors can leverage malware-as-a-service (MaaS) models to conduct successful cyberattacks, according to researchers from digital risk management firm Bi.Zone. The campaign is currently targeting Russian organizations but could spread to other regions.
Although mediocre in terms of technical skills, these threat actors achieve their goals by using just two sets of tools: legitimate remote access services and inexpensive malware, according to separate blog posts published on both the companys website and its
Medium blog account
.
To gain initial access to target infrastructures, Fluffy Wolf — active since 2022 — impersonates a construction company to send phishing emails with attachments disguised as reconciliation reports, or reports aimed at ensuring that different sets of accounting figures are correct. The password-protected files hide a variety of malicious payloads; the primary one is Meta Stealer, clone of the popular
RedLine stealer
.
Fluffy Wolf also is propagating a variety of other malware, including legitimate software such as Remote Utilities, WarZone RAT, and XMRig miner.
So far, the group has made at least 140 attacks on companies in Russia, where phishing remains one of the most prevalent forms of initial entry into corporate environments, the researchers found.

Phishing
was the weapon of choice for 68% of all targeted attacks on Russian organizations last year, according to Bi.Zone. Moreover, at least 5% of employees of Russian companies open hostile attachments and click links in phishing emails, which makes it easy to run a malicious campaign on a large scale, according to the company.
Once a corporate user clicks on the document lure, which is included in emails titled Reports to sign, the file executes various processes. One of those is the launch of the Remote Utilities loader to deliver a copy of Meta Stealer from an attacker-controlled command-and-control (C2) server.
The use of these two pieces of malware is key to the campaign in that both are readily available to threat actors. Remote Utilities is a legitimate remote access tool and Meta Stealer can be purchased on underground forums and on Telegram channels for as little as $150 a month.
Remote Utilities enables a threat actor to gain complete control over a compromised device to track the user’s actions, transmit files, run commands, and interact with the task scheduler, among other activities. Threat actors continue to experiment with legitimate
remote access software
to enhance their arsenal with new tools, according to Bi.Zone.
Meanwhile, Meta Stealer lifts sensitive data from infected devices, including user credentials and cookies from Chromium- and Firefox‑like browsers, as well as data from the free FileZilla FTP server program, cryptocurrency wallets, and VPN clients. It then sends the data back to the attackers C2.
The Fluffy Wolf campaign demonstrates how its easier than ever for threat actors to attack systems using MaaS and other readily available software tools, so its important for organizations to use a variety of security solutions to protect themselves, according to Bi.Zone.
As
phishing
remains a primary point of entry for attackers, organizations should use managed email security services that will prevent connection to a threat actors C2 server even if a corporate user clicks on a malicious email link or file.
Employing some type of
threat intelligence
platform within an organization to continuously maintain awareness of ever-evolving malicious campaigns also can help an organization mitigate risk.
To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape, according to Bi.Zone.
To that end, Bi.Zone included in its Medium blog post a list of indicators of compromise (IoCs) and a MITRE ATT&CK framework for the Fluffy Wolf phishing vector.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Fluffy Wolf Spreads Meta Stealer in Corporate Phishing Campaign