'Fluffy Wolf' Spreads Meta Stealer in Corporate Phishing Campaign

An emerging and unsophisticated threat actor is spreading various types of malware with accounting report lures in a phishing campaign that relies on readily available malicious and legitimate software for its success.

The active phishing campaign by an actor tracked as Fluffy Wolf demonstrates how even largely unskilled threat actors can leverage malware-as-a-service (MaaS) models to conduct successful cyberattacks, according to researchers from digital risk management firm Bi.Zone. The campaign is currently targeting Russian organizations but could spread to other regions.

"Although mediocre in terms of technical skills, these threat actors achieve their goals by using just two sets of tools: legitimate remote access services and inexpensive malware," according to separate blog posts published on both the company's website and its Medium blog account.

To gain initial access to target infrastructures, Fluffy Wolf — active since 2022 — impersonates a construction company to send phishing emails with attachments disguised as reconciliation reports, or reports aimed at ensuring that different sets of accounting figures are correct. The password-protected files hide a variety of malicious payloads; the primary one is Meta Stealer, clone of the popular RedLine stealer.

Fluffy Wolf also is propagating a variety of other malware, including legitimate software such as Remote Utilities, WarZone RAT, and XMRig miner.

So far, the group has made at least 140 attacks on companies in Russia, where phishing remains one of the most prevalent forms of initial entry into corporate environments, the researchers found.

"Phishing was the weapon of choice for 68% of all targeted attacks on Russian organizations last year," according to Bi.Zone. Moreover, at least 5% of employees of Russian companies open hostile attachments and click links in phishing emails, which makes it easy to run a malicious campaign on a large scale, according to the company.

Meta Stealer Malware

Once a corporate user clicks on the document lure, which is included in emails titled "Reports to sign," the file executes various processes. One of those is the launch of the Remote Utilities loader to deliver a copy of Meta Stealer from an attacker-controlled command-and-control (C2) server.

The use of these two pieces of malware is key to the campaign in that both are readily available to threat actors. Remote Utilities is a legitimate remote access tool and Meta Stealer can be purchased on underground forums and on Telegram channels for as little as $150 a month.

Remote Utilities enables a threat actor to gain complete control over a compromised device to track the user’s actions, transmit files, run commands, and interact with the task scheduler, among other activities. "Threat actors continue to experiment with legitimate remote access software to enhance their arsenal with new tools," according to Bi.Zone.

Meanwhile, Meta Stealer lifts sensitive data from infected devices, including user credentials and cookies from Chromium- and Firefox‑like browsers, as well as data from the free FileZilla FTP server program, cryptocurrency wallets, and VPN clients. It then sends the data back to the attacker's C2.

Cyber Defenses Against Fluffy Wolf

The Fluffy Wolf campaign demonstrates how it's easier than ever for threat actors to attack systems using MaaS and other readily available software tools, so it's important for organizations to use a variety of security solutions to protect themselves, according to Bi.Zone.

As phishing remains a primary point of entry for attackers, organizations should use managed email security services that will prevent connection to a threat actor's C2 server even if a corporate user clicks on a malicious email link or file.

Employing some type of threat intelligence platform within an organization to continuously maintain awareness of ever-evolving malicious campaigns also can help an organization mitigate risk.

"To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape," according to Bi.Zone.

To that end, Bi.Zone included in its Medium blog post a list of indicators of compromise (IoCs) and a MITRE ATT&CK framework for the Fluffy Wolf phishing vector.