A new wave of cyber activity has emerged from the threat actor known as Paper Werewolf, focusing its efforts on Russian organizations with a novel implant dubbed PowerModul. Spanning from July to December 2024, these operations have targeted various sectors, including mass media, telecommunications, construction, government, and energy, as outlined in a recent report by Kaspersky.
Known also as GOFFEE, Paper Werewolf has been active since at least 2022, conducting no fewer than seven distinct campaigns aimed primarily at government, financial, and media sectors, according to insights from BI.ZONE. Notably, these attacks have evolved to incorporate more disruptive techniques, extending beyond mere espionage to include alterations of employee account passwords, amplifying the potential damage.
The modus operandi begins with phishing emails that feature documents embedded with macros. When these documents are opened and macros are enabled, they trigger the deployment of a PowerShell-based remote access trojan named PowerRAT. This initial breach leads to a distribution of further malicious payloads, with a focus on establishing a persistent backdoor into the compromised systems.
The malware serves as a facilitator for additional payloads, which often include variants of the Mythic framework, such as PowerTaskel and QwakMyAgent. Furthermore, the threat actor utilizes a malicious IIS module called Owowa to capture Microsoft Outlook credentials from victims using web clients.
Kaspersky’s report reveals that the latest attacks initiate with a malicious RAR file attachment, disguising executable files as PDFs or Word documents with deceptive double extensions (e.g., *.pdf.exe). Upon execution, these files download a decoy document while proceeding with the infection process in the background. The embedded malicious code is crafted to communicate with command-and-control servers, establishing a foothold for further operations.
In a more complex attack scheme, RAR archives contain Microsoft Office documents equipped with macros that act as droppers for the PowerModul implant. This PowerShell script can receive and execute additional scripts issued from the command-and-control infrastructure. The deployment of this backdoor reportedly began in early 2024, with its primary function initially involving the loading of PowerTaskel onto compromised hosts.
PowerModul also includes payloads such as FlashFileGrabber, designed for exfiltrating files from removable media, and the USB Worm, which propagates the PowerModul backdoor across connected drives. PowerTaskel mirrors PowerModul’s capabilities by running scripts from the C2 server while also collecting intelligence from infected environments.
The threat landscape is further complicated by the emergence of new techniques. Paper Werewolf recently transitioned to utilizing malicious VBA scripts embedded within Word documents as a primary infection vector. This shift signals a strategic pivot toward leveraging more sophisticated attack vectors as they eschew reliance on standard tools like PowerTaskel in favor of the binary Mythic agent.
The recent activity of Paper Werewolf occurs in an environment where similar phishing campaigns are being executed by other threat groups, including the Sapphire Werewolf, noted for distributing updated malware variants that target sensitive data, including credentials from popular communication and web browser platforms.
As these threats evolve, it is crucial for organizations to strengthen their cybersecurity posture by implementing vigilant monitoring and incident response strategies in alignment with the MITRE ATT&CK framework. Understanding potential tactics—such as initial access, execution, persistence, and exfiltration—can provide valuable insights for fortifying defenses against these increasingly sophisticated attacks.
