Skip to main content

Werewolf Hackers Exploiting WinRAR Vulnerability To Deploy RingSpy Backdoor

posted onApril 2, 2024
by l33tdawg

Active since 2023, the Mysterious Werewolf cluster has shifted targets to the military-industrial complex (MIC) by using phishing emails with a weaponized archive.

The archive contains a seemingly legitimate PDF document along with a malicious CMD file, and when the victim opens the archive and double-clicks the PDF, the CMD file executes, deploying the RingSpy backdoor onto the compromised system.

Malware replaces the Athena agent of the Mythic framework, a strategy that Mysterious Werewolf previously employed in earlier campaigns. Tactics have shifted, with the Athena agent being swapped for the RingSpy backdoor written in Python, where the group utilizes legitimate services to maintain control of compromised systems, using a Telegram bot as a command and control server.  

Source

Tags

Industry News

You May Also Like

Recent News

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th