A hacker group called Paper Werewolf, also known as GOFFEE, has been targeting only Russian organizations using a new hacking tool called PowerModul.
According to a new report from Kaspersky, these attacks happened between July and December 2024, and they targeted companies in the media, telecom, construction, government, and energy sectors.
Since 2022, Paper Werewolf has carried out at least seven hacking campaigns, mostly targeting government, energy, finance, media, and other important sectors, says cybersecurity firm BI.ZONE.
The hacker group doesn’t just spy; they also cause disruption by modifying employee passwords after breaking in.
They start their attacks using phishing emails with infected documents. If someone opens the file and enables macros, it installs a tool called PowerRAT, which lets the hackers control the system remotely.
Once inside, PowerRAT can install more advanced tools like PowerTaskel and QwakMyAgent (custom hacking tools based on something called Mythic framework), OWOWA, a tool that steals Microsoft Outlook credentials from users who log in through the web.
In the last explanation, Kaspersky discovered that the hackers sent a fake RAR file to a compressed folder as an email attachment. Inside is a program that looks like a PDF or Word file but is actually an executable file with a trick name like .pdf.exe or .doc.exe to fool people into opening it.
When someone runs the file, a real-looking document is downloaded from the internet and opened to avoid suspicion. Meanwhile., in the background, malicious software starts installing itself.
The file used in the attack is a real Windows system file like explorer.exe, but the hackers modify part of its code to include malicious instructions called shellcode.
The code contains a hidden hacking tool based on the mythic framework that quickly connects to the hackers’ server to carry out commands.
There’s another, more complicated attack method the hackers use. In this, the threat actors send a RAR file that contains a Microsoft Office document. When someone opens it and enables macros, the document acts as a dropper, meaning it secretly installs and runs a tool called PowerModul.
PowerModul is a PowerShell script, a type of code that connects to the hackers’ server and can download and run more PowerShell scripts.
This backdoor has been used since early 2024, mainly to install another tool called PowerTaskel on infected computers.
Other tools that PowerModul can install include FlasFileGrabber, FlashFileGrabberOffline, and USB Worm.
PowerTaskel works a lot like PowerModul. It can also run PowerShell Scripts sent from the hackers’ control C2 server. But it can do more.
It can send back a check-in message with details about the infected computer or network. It can also execute commands sent by the hackers
and can try to gain higher access (admin access) on the system using a tool called PsExec.
In at least one case, PowerTaskel was used to run a special script called FolderFileGrabber. This tool does everything FlashFileGraaber does, like stealing files from USB drives, but it can also grab files from other computers on the same network path and a sharing method called SMB protocols.
Kaspersky said this is the first time the hackers have used Word documents with malicious VBA scripts to start an attack. Lately, they’ve been using the mythic agent more often instead of PowerTaskel, especially when spreading through a lateral movement.
At the same time, another hacking group called Sapphire Werewolf has been linked to a phishing campaign that spreads a new version of Amethyst, a tool based on the open-source SapphireStealer.
This malware can steal saved passwords from Telegram and web browsers like Chrome, Opera, Yandex, Brave, etc. It can also steal login data from FileZilla and SSH configuration files. And collect documents, including those stored on USB drives or external storage.
