PowerModul Implant
The threat actor known as Paper Werewolf—also referred to as GOFFEE—has been exclusively targeting Russian organizations using a new implant called PowerModul. Between July and December 2024, their attacks zeroed in on key industries, including mass media, telecommunications, construction, government entities, and the energy sector.
Table of Contents
A Persistent Adversary: Campaigns Since 2022
The Paper Werewolf has carried out at least seven campaigns since 2022. The group's consistent focus has been on high-value targets within the government, energy, financial, and media sectors.
More than Espionage: Destructive Twists in Attack Chains
Paper Werewolf's operations go beyond traditional cyber espionage. Their attack chains have been observed incorporating disruptive components, such as changing employee account passwords, indicating an intent to cripple operations and not just steal data.
Entry Point: Phishing Lures and PowerRAT
The attacks typically begin with phishing emails containing macro-laced documents. Once the victim accesses the file and enables macros, a PowerShell-based remote access Trojan known as PowerRAT is deployed. This malware sets the stage for more advanced payloads.
Custom Malware Arsenal: PowerTaskel, QwakMyAgent and Owowa
The next-stage payloads often include PowerTaskel and QwakMyAgent, custom versions of agents based on the Mythic framework. Another tool, Owowa, a malicious IIS module, is used to steal Microsoft Outlook credentials entered through web clients.
New Infection Tactic: Disguised Executables in RAR Archives
The latest wave of attacks features a malicious RAR archive containing an executable disguised as a PDF or Word document using double extensions (e.g., *.pdf.exe). Upon execution, a decoy document is shown to the user while the system is silently infected in the background.
The executable is actually a patched Windows system file (like explorer.exe), embedded with malicious shellcode containing an obfuscated Mythic agent, which connects to the C2 server for further instructions.
Alternate Attack Route: PowerModul Takes Center Stage
In an alternate method, Paper Werewolf uses a RAR archive with a macro-laced Office document that acts as a dropper for PowerModul. This PowerShell script can execute additional scripts from the C2 server, making it a versatile backdoor.
Payload Parade: A Toolkit for Espionage and Infection
PowerModul has been in use since early 2024, primarily to download and run PowerTaskel. Other notable payloads include:
- FlashFileGrabber: Steals files from flash drives and exfiltrates them.
- FlashFileGrabberOffline: Searches for files with specific extensions on flash media and stores them locally for later exfiltration.
- USB Worm: Infects flash drives with a copy of PowerModul to spread the malware further.
PowerTaskel’s Capabilities: More than Just Script Execution
While similar to PowerModul, PowerTaskel is more capable. It sends a 'checkin' message with system info, runs commands from the C2 server, and can escalate privileges using PsExec. In one case, it was seen executing a FolderFileGrabber script that collects files from remote systems using hardcoded SMB network paths.
Evolution in Tactics: Shifting Away from PowerTaskel
For the first time, Paper Werewolf has used fraudulent Word documents with VBA scripts for initial access. Recent findings also indicate a tactical shift, with the group moving away from PowerTaskel and increasingly relying on binary Mythic agents for lateral movement within targeted networks.
Final Thoughts: A Growing Threat with Evolving Techniques
Paper Werewolf continues to refine its techniques and expand its arsenal. The exclusive focus on Russian entities, combined with disruptive capabilities and an evolving infection strategy, makes it a serious and persistent cyber threat on the horizon.
