Cybersecurity experts have raised alarms about the evolving tactics of Core Werewolf, also known as PseudoGamaredon, a sophisticated hacking group that has been targeting Russia’s defense industry and critical infrastructure for years. In a significant development, the group has introduced a new custom-built loader written in AutoIt, marking a shift in their attack methodology.
Core Werewolf’s History and Recent Activities
According to researchers at BI.ZONE, Core Werewolf has been actively targeting Russia’s defense-industrial complex and critical information infrastructure organizations since 2021. The group gained notoriety in April 2023 when they allegedly attempted to breach the 102nd Russian military base, highlighting their focus on high-value military targets.
New AutoIt Loader: A Game-Changer in Stealth
The introduction of the AutoIt loader in September 2023 represents a strategic move by Core Werewolf to enhance their ability to remain undetected within compromised networks. AutoIt, a popular scripting language, allows the group to create malware that can potentially evade traditional security measures, prolonging their presence in targeted systems.
Attack Vector Evolution
Core Werewolf has expanded its attack vectors beyond email-based phishing campaigns. The group now leverages messaging platforms, particularly Telegram, to distribute malicious files. This multi-channel approach increases the chances of successful infiltration and demonstrates the group’s adaptability.
Anatomy of a Core Werewolf Attack
The typical attack sequence involves the following steps:
1. Phishing emails containing links to RAR archives are sent to targets.
2. These archives contain self-extracting (SFX) files, which include:
- A malicious script
- A legitimate AutoIt interpreter
- A decoy PDF document
3. When the user opens the archive, the contents are extracted to the TEMP folder.
4. The AutoIt interpreter executes the loader, which then installs malware on the compromised device.
The Rationale Behind Evolving Tactics
Oleg Skulkin, head of BI.ZONE Threat Intelligence, explains the group’s strategy: “The detectability of their tools is constantly increasing. As a result, the criminals are modifying their arsenal, hoping this will allow them to remain undetected in the victim’s IT infrastructure for longer. The less frequently a tool is used in attacks, the greater the chances that security measures will not be able to recognize it.”
This continuous evolution of tactics underscores the persistent and adaptive nature of advanced threat actors like Core Werewolf. As cybersecurity measures improve, these groups innovate to maintain their effectiveness, creating a constant cat-and-mouse game between attackers and defenders.
The emergence of Core Werewolf’s new AutoIt loader serves as a stark reminder of the ever-present threat to critical infrastructure and defense industries. Organizations must remain vigilant, continuously update their security protocols, and invest in advanced threat detection capabilities to defend against such sophisticated and evolving threats. As the cybersecurity landscape continues to shift, proactive measures and information sharing among security professionals become increasingly crucial in staying one step ahead of determined adversaries.
