Russian government, energy, telecommunications, mass media, and construction entities have been targeted by the Paper Werewolf threat operation, also known as GOFFEE, in attacks spreading the novel PowerModul backdoor between July and December, The Hacker News reports.
Paper Werewolf's latest intrusions involved either the distribution of malicious RAR archives with a Word or PDF document-impersonating executable that launches a decoy file along with in-background compromise or the deployment of a RAR archive that facilitates the execution of PowerModul, according to an analysis from Kaspersky. Despite being initially used to deliver the PowerTaskel payload in early 2024, PowerModul has since been modified to distribute the FlashFileGrabber and FlashFileGrabberOffline payloads that exfiltrate removable media-stored files, as well as the USBWorm tool that compromises media devices with a PowerModul copy. Paper Werewolf was also discovered by Kaspersky researchers to have been transitioning to the use of the binary Mythic agent for lateral movement.
Paper Werewolf's latest intrusions involved either the distribution of malicious RAR archives with a Word or PDF document-impersonating executable that launches a decoy file along with in-background compromise or the deployment of a RAR archive that facilitates the execution of PowerModul, according to an analysis from Kaspersky. Despite being initially used to deliver the PowerTaskel payload in early 2024, PowerModul has since been modified to distribute the FlashFileGrabber and FlashFileGrabberOffline payloads that exfiltrate removable media-stored files, as well as the USBWorm tool that compromises media devices with a PowerModul copy. Paper Werewolf was also discovered by Kaspersky researchers to have been transitioning to the use of the binary Mythic agent for lateral movement.
