A recently emerged threat actor, identified as Fluffy Wolf, has been orchestrating a phishing campaign targeting Russian organizations, utilizing accounting report-themed lures to spread various types of malware. Researchers from digital risk management firm Bi.Zone have shed light on this campaign, underscoring how even relatively unskilled threat actors can leverage malware-as-a-service (MaaS) models for successful cyberattacks.
According to separate blog posts by Bi.Zone, Fluffy Wolf employs a combination of legitimate remote access services and affordable malware to achieve its objectives. By impersonating a construction company and sending phishing emails with attachments disguised as reconciliation reports, the threat actor aims to gain initial access to target infrastructures. These password-protected files contain malicious payloads, primarily Meta Stealer, a clone of the notorious RedLine stealer.
In addition to Meta Stealer, Fluffy Wolf has been observed propagating various other malware, including legitimate software such as Remote Utilities, WarZone RAT, and XMRig miner. The group has already launched over 140 attacks on companies in Russia, where phishing remains a prevalent method for infiltrating corporate environments.
Upon clicking on the deceptive document lure titled "Reports to sign," corporate users inadvertently trigger the execution of various processes. This includes launching the Remote Utilities loader to deliver a copy of Meta Stealer from an attacker-controlled command-and-control (C2) server. Both Remote Utilities and Meta Stealer are easily accessible to threat actors, with the former being a legitimate remote access tool and the latter available for purchase on underground forums and Telegram channels for as little as $150 a month.
Remote Utilities provides threat actors with comprehensive control over compromised devices, allowing them to monitor user actions, transfer files, execute commands, and interact with the task scheduler. Meanwhile, Meta Stealer exfiltrates sensitive data from infected devices, including user credentials, browser cookies, FTP server data, cryptocurrency wallets, and VPN client information, sending it back to the attacker's C2.
In response to the Fluffy Wolf campaign, Bi.Zone emphasizes the importance of employing diverse security solutions to protect organizations against such threats. Managed email security services can prevent connections to threat actor-controlled C2 servers, even if a corporate user interacts with a malicious email link or attachment. Furthermore, leveraging threat intelligence platforms can aid organizations in staying abreast of evolving malicious campaigns and mitigating associated risks.
To facilitate defence efforts, Bi.Zone has provided a list of indicators of compromise (IoCs) and an MITRE ATT&CK framework for the Fluffy Wolf phishing vector in its Medium blog post. This proactive approach underscores the necessity of continuous awareness and understanding of the evolving threat landscape to effectively counter threat actors' tactics.
