Organizations in Kazakhstan are currently under attack by a threat group known as Bloody Wolf, which is deploying a commodity malware called STRRAT (also known as Strigoi Master).
“The software, which can be purchased for as little as $80 on underground forums, allows attackers to seize control of corporate computers and steal sensitive data,” cybersecurity firm BI.ZONE stated in a recent analysis.
These cyber attacks begin with phishing emails used as the initial point of entry. The attackers pose as the Ministry of Finance of the Republic of Kazakhstan and other government agencies to deceive recipients into opening PDF attachments.
The attached file appears to be a notice of non-compliance and includes links to a malicious Java archive (JAR) file, along with an installation guide for the Java interpreter necessary for the malware to operate.
To add a layer of credibility to the attack, the second link directs users to a web page connected to the official government website, urging them to install Java to ensure the portal functions correctly.
The STRRAT malware, hosted on a website that imitates the official Kazakhstan government site (“egov-kz[.]online”), establishes persistence on the Windows system by modifying the Registry and executing the JAR file every 30 minutes.
Furthermore, a copy of the JAR file is placed in the Windows startup folder to ensure it automatically launches after the system is restarted.
Once active, the malware connects to a Pastebin server to exfiltrate sensitive information from the compromised machine. This includes details about the operating system version, installed antivirus software, and account data from browsers and email clients such as Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.
The malware is also capable of receiving additional commands from the server to download and execute more payloads, log keystrokes, run commands via cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.
“By using less common file types like JAR, attackers can bypass security defenses,” BI.ZONE explained. “Leveraging legitimate web services like Pastebin to communicate with compromised systems allows them to evade network security measures.”