icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Squid Werewolf Cyber Spies Masquerade as Recruiters

Summary:
Researchers at BI.Zone have uncovered a campaign where a North Korean threat group dubbed Squid Werewolf (aka APT37, Ricochet Chollima, ScarCruft, Reaper Group) was observed masquerading as recruiters to target job seekers and employees at specific organizations. The campaign was first spotted in December 2024 and employs emails containing malicious zip archives related to potential employment opportunities. In one of the emails observed by BI.Zone, the phishing email was disguised as a job offer from a United Industrial Complex HR representative and contained a password-protected ZIP file titled "Предложение о работе.zip," which includes an LNK file named "Предложение о работе.pdf.lnk. When opened, this LNK file executes a PowerShell command that reads and decodes Base64-encoded data, further copying that data to various files. The command then opens a phishing document, "mngs Attachment.pdf" and executes the "d.exe" executable (a .NET application) which further runs "DomainManager.dll," a loader designed to perform several checks to avoid sandbox detection, including verifying internet connectivity and runtime analysis. If successful, the loader modifies registry keys to disable autorun and looks for an encrypted configuration file, "DomainManager.conf." If the file exists, it decrypts and executes a malicious payload from memory; otherwise, it retrieves a payload from a remote server, decrypts it, and saves it locally for execution.

Security Officer Comments:
The exact functionality of the final payload executed by the loader remains unclear, as BI.Zone noted that the payload was unavailable during their research. However, this campaign closely mirrors a previous attack analyzed by the Securonix team, which they attributed to the APT37 group. In that instance, the attackers deployed the VeilShell remote access trojan. Given that APT37 is driven by cyberespionage motives, it is likely that the current campaign results in the deployment of a similar payload, enabling the actors to maintain persistence on the targeted system and exfiltrate data of interest.

Suggested Corrections:
The latest campaign highlights a growing trend in North Korean threat actors disguising themselves as recruiters to target job seekers with malicious payloads. The emails sent by these actors often appear as legitimate job offers from well-known companies, preying on individuals actively looking for new opportunities. In general, individuals should exercise caution when responding to unsolicited job offers, carefully scrutinizing the legitimacy of the source, and being wary of any unexpected attachments or links in such communications.

Link(s):
https://bi.zone/eng/expertise/blog/...-squid-werewolf-maskiruyutsya-pod-rekruterov/

Contact Us for Threat Assistance
Back to Current Threats