Cybersecurity researchers have revealed the tactics of Sticky Werewolf, a threat actor engaged in phishing attacks targeting organizations in Russia and Belarus. Initially focused on government entities, their campaigns have expanded to include pharmaceutical companies, research institutes, and the aviation sector. The group’s modus operandi involves sophisticated phishing emails containing links to malicious payloads, leading to the deployment of commodity RATs and information-stealer malware like Rhadamanthys and Ozone RAT.
Sticky Werewolf’s latest attack chain, observed by Morphisec, utilizes a RAR archive attachment containing LNK files and a decoy PDF document. Recipients are lured to click on the LNK files under the guise of accessing a video conference invitation and email distribution list. Upon execution, the LNK files trigger the launch of a binary hosted on WebDAV servers, initiating an obfuscated Windows batch script. This script, in turn, runs an AutoIt script to inject the final payload, bypassing security measures and analysis attempts.
The payload delivery mechanism involves the use of an NSIS self-extracting archive, a variant of the CypherIT crypter, to deploy RATs and information-stealer malware. While the group’s national origin remains uncertain, geopolitical context suggests possible links to pro-Ukrainian cyberespionage groups or hacktivists. This revelation comes amidst BI.ZONE’s identification of the Sapphire Werewolf activity cluster, attributed to over 300 attacks on various sectors in Russia using sophisticated malware like Amethyst.
BI.ZONE also uncovered other activity clusters, including Fluffy Wolf and Mysterious Werewolf, which employ spear-phishing lures to distribute Remote Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor named RingSpy. The RingSpy backdoor facilitates remote command execution and file downloads through a Telegram bot-controlled command-and-control server. These findings underscore the evolving tactics of threat actors like Sticky Werewolf and the ongoing cybersecurity challenges faced by organizations in the region.
Reference:
