The BI.ZONE Threat Intelligence team has reported a surge in activity from the espionage cluster known as Paper Werewolf (also referred to as GOFFEE). Operating since at least 2022, the group has launched seven known campaigns targeting government, energy, financial, media, and other sectors. While initially focused on espionage, their tactics have evolved to include disruptive operations.
Paper Werewolf’s campaigns primarily rely on phishing emails containing Microsoft Word attachments with malicious macros. These emails are often disguised as legitimate communications from reputable institutions like regulatory bodies or law enforcement, exploiting the victims’ trust to deliver their payloads. As BI.ZONE explains, “The distributed files are masked as documents from various organizations (a research institution, a municipal administration, a power grid company, etc.).”
When victims enable macros in these documents, a decryption process begins, launching a PowerShell-based reverse shell called PowerRAT. This tool not only facilitates remote control but also hides malicious files using environment variables and encrypts payloads to evade detection.
While espionage remains a core focus, Paper Werewolf has demonstrated a capability for outright sabotage. In one instance, the attackers used PowerShell scripts to run destructive commands, such as deleting critical registry keys and forcing system restarts. As noted in the report, “While primarily committed to cyber espionage, such clusters can ruin the operation of target infrastructures simply out of spite, once their primary goal is achieved.”
The adversaries’ arsenal includes custom implants and adaptations of open-source tools. For instance, they’ve employed the Mythic post-exploitation framework and created agents like PowerTaskel and QwakMyAgent. These implants, combined with a malicious IIS module named Owowa, allow them to extract credentials from Outlook Web Access (OWA) sessions, storing them temporarily in RAM for stealth.
Additionally, Paper Werewolf leverages tools such as Chisel to establish redundant access channels and PsExec for remote command execution. These tools enable them to maintain persistence and wreak havoc on compromised systems.
Paper Werewolf’s shift from espionage to destructive activities signals a troubling evolution in cyber threat dynamics. Organizations must remain vigilant, adopting robust phishing defenses and monitoring for unusual PowerShell activity. BI.ZONE emphasizes the importance of securing IT environments against these sophisticated tactics: “The attackers opt for the PowerShell interpreter as a versatile tool that enables them to bypass corporate defenses.”
Related Posts:
- Sticky Werewolf Targets Aviation Sector in Latest Malicious Campaign
- Sophisticated Social Engineering Campaign Linked to Black Basta Ransomware
