Dirty Wolf's Tunneling Tool

A new threat activity named Dirty Wolf has been identified, utilizing a novel tunneling tactic. The activity began with a potential phishing link leading to the download of a file with a .vbs extension. This file installed persistence by adding itself to the Windows startup folder. Execution was achieved using a disguised Cscript utility, accompanied by suspicious network connections.

Additionally, a payload was deployed to gather IP information and execute the command: net.exe authtoken ID. This resulted in connections to localto.net and localtonet.com, indicating the use of a new tool for tunneling activities.

Note: Dirty Wolf frequently uses Localtonet. This cluster is involved in ransomware attacks leveraging Lockbit 3.0 to generate payloads.

Stay vigilant! Look out for the localtonet.dll filename in the original file name