Targeted Cyberattacks by Stan Ghouls Impact Multiple Sectors in Central Asia
Recent investigations by Kaspersky reveal that the cybercriminal group Stan Ghouls (also known as Bloody Wolf) has methodically targeted organizations in Central Asia, particularly in Uzbekistan, since at least 2023. Their primary focus is on the finance, manufacturing, and IT sectors, where they have affected approximately 50 victims in Uzbekistan and targeted devices in Russia, Kazakhstan, Turkey, Serbia, and Belarus.
The group’s attack methodology includes spear phishing emails with malicious PDF attachments, primarily in local languages. These emails trick users into downloading a malicious Java-based loader that facilitates the installation of a modified version of NetSupport RAT. The attackers cleverly disguise their payloads as legitimate court documents, exploiting local judicial vernacular to persuade victims to execute the malicious files. Upon execution, the loader aims to establish persistence through multiple avenues, including autorun scripts and registry modifications.
With a notable presence of over 60 victims, Stan Ghouls demonstrates a high operational capacity, indicating a well-resourced and organized structure. Notably, there is also a suggestion of their involvement with IoT malware, specifically Mirai, as some related files have been found within their infrastructure, hinting at a possible expansion of their cyber toolkit.
Why this matters: The implications of these targeted attacks underscore the vulnerability of critical sectors in Central Asia to sophisticated cybercriminal activities. Organizations in finance and manufacturing that fall prey to such well-prepared campaigns can suffer significant financial losses and disruptions, highlighting the urgent need for improved cybersecurity defenses.
Utilizing proactive threat intelligence, continuous monitoring, and robust SIEM solutions can assist organizations in quickly detecting and responding to the tactics employed by groups like Stan Ghouls, reducing overall risk.
Indicators of Compromise (IOCs):
- Malicious PDFs: MD5: B4FF4AA3EBA9409F9F1A5210C95DC5C3
- Malicious loaders:
- MD5: 1b740b17e53c4daeed45148bfbee4f14
- MD5: 95db93454ec1d581311c832122d21b20
- Malicious domains:
- mysoliq-uz[.]com
- my-xb[.]com
- xarid-uz[.]com
- others listed above.
Cybersecurity measures are essential to safeguard against such evolving threats.
