Sticky Werewolf Expands its Target of Cyber Attack in Russia and Belarus
Researchers in cybersecurity have revealed information about an entity known as Sticky Werewolf, which has been connected to cyber assaults focusing on organizations in Russia and Belarus.
The fake emails were aimed at a pharmaceutical company, a microbiology and vaccine development research facility in Russia, as well as the aviation industry. This extends beyond their original intent of targeting government institutions, as reported by Morphisec announced in a recent report.
“Previously, the series of attacks started with phishing emails that included a link for downloading a malicious file from sources like gofile.io,” mentioned security analyst Arnold Osipov. “In this latest campaign, archive files were used, containing LNK files directing to a payload located on WebDAV servers.”
Sticky Werewolf, among several threat actors aiming at Russia and Belarus such as Cloud Werewolf (also known as Inception and Cloud Atlas), Quartz Wolf, Red Wolf (also known as RedCurl), and Scaly Wolf, was initially identified by BI.ZONE in October 2023. This group is believed to have been active since at least April 2023.
Previous assaults documented by the cybersecurity company utilized deceitful emails that included links to malevolent payloads, eventually leading to the installation of the NetWire remote access trojan (RAT), whose infrastructure was dismantled early last year after a law enforcement operation.
The recent attack chain witnessed by Morphisec involves the employment of a RAR archive attachment, which upon extraction, holds two LNK files and a decoy PDF document, the latter claiming to be an invitation to a video conference and urging the recipients to click on the LNK files for accessing the meeting agenda and email distribution list.
Launching either of the LNK files triggers the execution of a binary stored on a WebDAV server, leading to the initiation of an obfuscated Windows batch script. This script is designed to execute an AutoIt script that ultimately injects the final payload, successfully evading security software and analysis endeavors.
“This executable is a self-extracting archive using NSIS, a part of the previously recognized crypter known as CypherIT,” stated Osipov. “Although the original CypherIT crypter is no longer on sale, the current executable is a variation of it, as observed in a few hacking forums.”
The ultimate objective of this campaign is to disseminate commodity RATs and information-stealing malware such as Rhadamanthys and Ozone RAT.
“While there is no conclusive evidence indicating a specific national origin for the Sticky Werewolf group, the political backdrop hints at potential connections to a pro-Ukrainian cyber espionage entity or hacktivists, although this attribution remains uncertain,” Osipov mentioned.
This occurrence happened as BI.ZONE unveiled an action cluster identified as Sapphire Werewolf, responsible for over 300 attacks on Russian education, manufacturing, IT, defense, and aerospace engineering sectors using Amethyst, a derivative of the well-known open-source SapphireStealer.
In March 2024, the Russian company also detected groups referenced as Fluffy Wolf and Mysterious Werewolf using spear-phishing baits to distribute Remote Utilities, XMRig miner, WarZone RAT, and a custom backdoor named RingSpy.
“The RingSpy backdoor allows an attacker to execute commands remotely, receive the outcomes, and download files from network resources,” it was stated. “The command-and-control server for the backdoor is a Telegram bot.”
About Author
