Cavalry Werewolf attacks with cyber campaign
Cavalry Werewolf has targeted public agencies and firms. Researchers tracked the campaign recently. For example, the attackers used phishing to gain access. Therefore, many victims were state and critical-sector organizations.
How the attackers operated
The group sent targeted emails that looked official. In some cases they used addresses tied to real regulators. However, other mails used fake Kyrgyz government identities. The emails carried RAR archives as attachments. Those archives delivered FoalShell or StallionRAT payloads.
About the malware
FoalShell acts as a lightweight reverse shell. It appears in Go, C++, and C# versions. Therefore, it lets operators run commands via cmd.exe. StallionRAT is more feature rich. It runs in Go, PowerShell, and Python. For example, it can run commands and load files. It also exfiltrates data using a Telegram bot interface.
Capabilities and tools
The Telegram bot supports multiple commands. For example, /list returns compromised hosts. Meanwhile, /go [DeviceID] [command] executes commands on victims. The bot can also request file uploads. Additionally, the attackers ran ReverseSocks5Agent tools on hosts. Therefore, they could tunnel traffic and gather system data.
Links to other clusters
Researchers see overlaps with other tracked clusters. The overlaps suggest shared tooling and tactics. Therefore, analysts suspect regional ties for the actor. A separate report tied a similar backdoor to a Kazakhstan-linked actor. This link strengthens the geographic hypothesis.
Scope and victims
The campaign focused on Russian state agencies. It also hit energy, mining, and manufacturing firms. However, file names in English and Arabic indicate a broader target set. A researcher also reviewed underground posts and leaks. Therefore, they found hundreds of compromises in recent months.
How attackers persisted
After breaching public web apps, attackers installed persistence tools. They often used gs-netcat to keep server access. For example, they also used web shells and legitimate admin tools. They then dumped databases with tools like mysqldump. As a result, large volumes of data were exposed.
Researchers warn the actor is expanding its arsenal. Therefore, quick threat intelligence is crucial. Otherwise, defenders may miss new tactics. Rapid detection and response helps block follow-up actions.
Prevention and remediation
To reduce risk, strengthen email and web defenses. For example, deploy phishing-resistant email controls and URL filtering. Also run continuous endpoint monitoring and managed detection to spot odd activity. In addition, use regular threat hunting and incident playbooks to speed response. These measures map to advanced services like continuous monitoring and managed threat hunting offered by some security providers.
Sleep well, we got you covered.
