Researchers of cybersecurity have revealed details of threat actor known as Sticky Werewolf that has been connected to cyber-attacks focusing on elements in Russia and Belarus.
The phishing assaults were targeted on a drug organization, a Russian research organization managing microbiology, vaccine development and the aviation area, growing past their underlying focal point of government associations, Morphisec said in a report a week ago.
“In past missions, the infection chain started with phishing messages containing a connection to download a malevolent document from sites like gofile.io,” security researcher Arnold Osipov said. “This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers.”
Sticky Werewolf, one of the threat actors focusing on Russia and Belarus like Cloud Werewolf, Quartz Wolf, Red Wolf (also known as RedCurl), and Scaly Wolf, was first reported by BI.ZONE in October 2023. The gathering is accepted to be dynamic since basically April 2023.
Past attacks reported by the cybersecurity firm utilized phishing messages with connections to malicious payloads that finished in the organization of the NetWire remote access trojan (RAT), which had its foundation taken down early last year keeping a law enforcement operation”
The new attack chain noticed by Morphisec engages the utilization of a RAR archive attachments that, when extricated, contains two LNK records and a distraction PDF document, with the last option professing to be a solicitation to a video conference and encouraging the beneficiaries to tap on the LNK documents to get the meeting plan and the email circulation list.
Opening both of the LNK documents sets off the execution of a binary hosted on a WebDAV server, which prompts the send off of a muddled Windows clump script. The content, thus, is intended to run an AutoIt script that eventually infuses the last payload, simultaneously bypassing security software and analysis endeavors.
“This executable is a NSIS self-extricating archive which is part for a formerly known crypter named CypherIT,” Osipov said. “While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in a couple of hacking forums.”
The ultimate objective of the mission is to convey product RARs and data stealer malware like Rhadamanthys and Ozone RAT.
“While there is no conclusive proof highlighting a particular public beginning for the sticky Werewolf bunch, the geopolitical context recommends potential links to a favorable to Ukrainian cyberespionage group or hacktivists, however this attribution stays unsure,” Osipov said.
The improvement comes as BI.ZONE uncovered a movement group codenamed Sapphire Werewolf that has been credited as behind in excess of 300 attacks on Russian education, fabricating, IT, defence, and aeronautic design areas utilizing Amethyst, a branch-off of the famous open‑source SapphireStealer.
The Russian organization, in March 2024, likewise revealed bunches referred to as Fluffy Wolf and Mysterious Werewolf that have utilized spear phishing draws to disseminate remote Utilities, XMRig digger, Disaster area RAT, and a bespoke backdoor dubbed RingSpy.
“The RingSpy secondary passage empowers a adversary to remotely execute orders, get their outcomes, and download documents from network assets,” it noted.
