Since 2020, F.A.C.T. has been monitoring the activity of the attacker known as Vasygrek, who has been targeting Russian companies since 2016. The attacks typically start with fraudulent emails from fake accounting departments containing financial-sounding subjects such as “Act of reconciliation,” “Payment order,” and “1C.” These emails contain malicious attachments that initiate the infection process.
The attacker often utilizes infected versions of legitimate remote control tools like RMS (Remote Utilities) and malicious software from developer Purecoder (Purecrypter, Purelogs, etc.). Additionally, Vasygrek’s arsenal includes programs that are readily available for purchase in the public domain, such as Metastealer, Warzonerat (Ave Maria), Redline Stealer, among others.
In March 2024, Bi.zone conducted a study on Vasygrek’s activities, dubbing it “Fluffy Wolf,” though many details were still unknown at that time.
In a new article, F.A.C.T. highlights the current threats posed by Vasygrek to Russian companies, analyzing its activities on forums and communications with malware developer Mr. Burns. The article also delves into a new version of the Burnsrat tool and provides detailed information about its creator.
Attack chronology 2022-2024
F.A.C.T. presented a timeline of Vasygrek’s attacks from 2022 to 2024.
Actual chain of infection in 2024
The attacker employs various methods of infection. Some attacks now use URLs to download the malware instead of attachments, while the quantity of Purecrypter.Downloader utilized varies, affecting the number of malware payloads loaded onto the victim systems.
- Analysis of the infection chain used by Vasygrek in attacks on Russian companies.
- Vasygrek’s forum activity dating back to 2016 and its connections to the infrastructure of its attacks.
- The association between Vasygrek and malicious developer Mr. Burns.
- The history of VPO Mr. Burns, starting in 2010.
- A description of the latest version of the malicious Burnsrat tool, available for sale on forums and utilized in attacks on Russian companies.