Rare Wolf Group Steals Data Using Fake 1C:Enterprise Invoices
BI.ZONE Threat Intelligence experts have identified the Rare Wolf group, which uses phishing and the legitimate monitoring tool Mipko Employee Monitor to attack Russian organizations. Previously, the group targeted neighboring countries, but now Russian organizations are also at risk. The hacker group has been active since at least 2019 and aims to steal confidential documents, passwords, and gain access to victims’ Telegram accounts.
Phishing Tactics and Infection Process
Researchers report that the attackers sent phishing emails disguised as payment notifications. Each email included an archive, supposedly containing a 1C:Enterprise invoice and an electronic key for access. In reality, the archive contained a file with a .scr extension.
When this file was opened, several archives with tools were downloaded onto the victim’s computer. Using these tools, the attackers collected all documents stored on the compromised system’s drive, extracted saved browser passwords, and copied the Telegram messenger folder.
Telegram Account Compromise
This Telegram folder contained, among other things, an encrypted key that allowed the criminals to access the compromised account without authorization. This enabled them to secretly monitor all messages and files sent, without the victim’s knowledge. New sessions were not recorded in the activity history.
Data Exfiltration and Monitoring
All collected information was sent to an email address controlled by the hackers, using a utility that allowed data transfer via the command line.
Afterward, the Mipko Employee Monitor program was installed on the compromised system. While this is legitimate software typically used by corporate security teams to monitor employee activity, the hackers used it to capture keystrokes, clipboard logs, screenshots, and even images from the device’s camera.
Expert Commentary
“Attackers continue to use legitimate tools for their attacks. This not only allows them to bypass many security measures but also helps them remain undetected within compromised infrastructure for extended periods, effectively blending in. It’s important to understand that developers and vendors of legitimate software are not responsible for the unintended and illegal use of their products,” commented Oleg Skulkin, Head of BI.ZONE Threat Intelligence.