Organizations in Kazakhstan are being targeted by a cyber threat group known as Bloody Wolf, which is using a commodity malware called STRRAT, also known as Strigoi Master. According to cybersecurity vendor BI.ZONE, STRRAT is available for as little as $80 on underground markets. This malware allows attackers to gain control over corporate computers and access sensitive data by exploiting phishing emails.
The attack begins with phishing emails that impersonate the Ministry of Finance of Kazakhstan and other government agencies. These emails contain PDF attachments that appear to be non-compliance notices, but they include links to a malicious Java Archive (JAR) file and instructions for installing the Java interpreter needed for the malware. To add a layer of legitimacy, one of the links directs users to a fake government website that encourages them to install Java.
Once the STRRAT malware is installed, it establishes persistence on the infected Windows host by modifying the system registry and placing a copy of the JAR file in the startup folder. This ensures that the malware runs every 30 minutes and automatically launches upon system reboot. The malware then connects to a Pastebin server to exfiltrate sensitive information, such as operating system details and credentials from various applications.
STRRAT is designed to receive additional commands from the server, allowing it to download and execute further payloads, log keystrokes, run commands using cmd.exe or PowerShell, and perform other malicious activities. By using uncommon file types and legitimate web services like Pastebin, the attackers can bypass network security solutions and evade detection.