The cyber-espionage group known as Bloody Wolf has expanded its operational activities, targeting organizations across Central Asia. The campaign has been observed focusing on government, military, and law enforcement entities in countries including Afghanistan, Iran, Pakistan, Tajikistan, and Uzbekistan. The threat actor has also been linked to activities targeting Russia.

Researchers at Intezer have been tracking this campaign from May 2022. The group’s primary method of attack involves spear-phishing campaigns that use malicious decoy documents. These documents are designed to lure targets by using themes relevant to regional political and military affairs.

Tactics and Custom Malware

Bloody Wolf employs a specific set of tools to infiltrate and control target systems. One of the key components is Royal-Road, a Rich Text Format (RTF) weaponizer. This tool is used to exploit known vulnerabilities, such as CVE-2018-0802, to gain initial access to a victim’s machine.

Once access is established, the group deploys a custom malware family named Poison-Plug. This is a modular backdoor designed for comprehensive espionage activities. Its capabilities include system reconnaissance, file exfiltration, and the execution of commands sent from a command-and-control (C2) server. Poison-Plug utilizes TCP sockets for its C2 communications, allowing the attackers to maintain control over the compromised system.

Attribution and Connections

Cybersecurity researchers from both Intezer and BlackBerry have linked the Bloody Wolf threat actor to a known China-based group. This group is identified by various names, including Bronze President, HoneyMyte, and Mustang Panda. The attribution is based on analysis of the Tactics, Techniques, and Procedures (TTPs) and the shared infrastructure used in the campaigns.

The continued activity and expansion of Bloody Wolf indicate a persistent cyber-espionage effort focused on gathering intelligence from strategically important organizations within Central Asia. The use of custom malware and politically themed lures demonstrates a targeted approach to its operations.

Source: https://www.infosecurity-magazine.com/news/bloody-wolf-expands-central-asia/