Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Amethyst (Infostealer) – Malware

June 10, 2024
Reading Time: 4 mins read
in Malware
Amethyst (Infostealer) – Malware

Amethyst

Type of Malware

Infostealer

Country of Origin

Unknown

Date of initial activity

2024

Targeted Countries

Russia
Belarus

Associated Groups

Sapphire Warewolf

Motivation

Data Theft
Financial Gain

Attack Vectors

Phishing
Software Vulnerabilities

Targeted Systems

Windows

Type of information Stolen

Browser Data
Communication Data
Corporate Data
Login credentials
Personal Identifiable Information (PII)
System Information

Overview

The Sapphire Werewolf group has made headlines with its recent wave of attacks using the Amethyst Stealer, targeting over 300 companies across various industries in Russia. This campaign, which began in March 2024, has primarily focused on sectors such as education, manufacturing, IT, defense, and aerospace engineering. The threat actors behind Sapphire Werewolf have cleverly modified the open-source SapphireStealer, transforming it into a potent tool for espionage and data theft, capable of gathering extensive authentication data from compromised systems. The group’s tactics involve sophisticated phishing campaigns, where malicious files are disguised as official documents, such as decrees from the President of Russia or leaflets from the Central Election Committee. Once these files are executed by unsuspecting victims, the Amethyst Stealer infiltrates the system, creating persistence through the Windows Task Scheduler and initiating a series of actions to collect sensitive information. The stolen data is then exfiltrated to the attackers’ Command and Control (C2) servers, often using encrypted channels and Telegram bots to maintain stealth.

Targets

Education: Educational institutions and organizations within Russia. Manufacturing: Companies involved in various manufacturing processes. Information Technology (IT): Firms and organizations that operate within the IT sector. Defense: Entities related to the defense sector, including military and defense contractors. Aerospace Engineering: Companies involved in aerospace technology and engineering.

How they operate

Amethyst Stealer operates with a blend of technical sophistication and deceptive tactics to infiltrate systems. The initial phase often involves phishing attacks, where malicious emails disguised as legitimate documents or notifications trick users into opening infected attachments. Once the payload is executed, Amethyst creates a folder within the %AppData% directory and deploys its core component, disguised as MicrosoftEdgeUpdate.exe. This initial setup allows the malware to persist on the system by creating a scheduled task using Windows Task Scheduler. This task, named MicrosoftEdgeUpdateTaskMachineCore, ensures that the malware remains active and continues its malicious activities every 60 minutes. Once installed, Amethyst Stealer engages in a comprehensive data collection campaign. It targets a broad spectrum of information, including authentication credentials, browser data, and configuration files from applications such as Telegram and FileZilla. The malware extracts data from various sources, including browser history, saved passwords, and sensitive files from user directories. This data is then archived and encrypted, with the archive being sent to a command and control (C2) server operated via Telegram bots. The use of Telegram for C2 communications underscores the malware’s reliance on common, yet effective, channels to evade detection and maintain control. Amethyst’s persistence mechanisms are designed to be particularly challenging to detect. By embedding itself in system processes and creating scheduled tasks, the malware ensures that it remains on the compromised system despite attempts to remove it. Additionally, its use of encrypted archives for exfiltration adds a layer of complexity, making it harder for traditional security solutions to identify and mitigate the threat.

MITRE Tactics and Techniques

Initial Access: Phishing (T1566): The malware is delivered via phishing emails with malicious attachments or links, often disguised as legitimate documents or notifications. Execution: Command and Scripting Interpreter (T1059): Uses command-line tools to execute payloads or delete files. Scheduled Task/Job (T1053): Creates scheduled tasks to ensure persistence, using Windows Task Scheduler to run the malware periodically. Persistence: Scheduled Task/Job (T1053): As mentioned, the malware uses scheduled tasks to maintain its presence on the system. Collection: Data from Information Repositories (T1213): Collects various types of sensitive data, including authentication credentials, browser data, and configuration files from applications like Telegram and FileZilla. Exfiltration: Exfiltration Over Command and Control Channel (T1041): Sends the collected data to command and control (C2) servers, often using Telegram bots to transfer information. Command and Control: Application Layer Protocol (T1071): Utilizes Telegram for C2 communication, sending data and receiving commands. Domain Generation Algorithm (T1483): May use dynamically generated domains or channels for C2 communications.

Impact / Significant Attacks

Sapphire Werewolf Campaign: Targeted Sectors: Education, manufacturing, IT, defense, and aerospace engineering sectors. Details: Since March 2024, the Sapphire Werewolf threat actor group has used Amethyst Stealer in over 300 attacks. The malware was distributed via phishing emails that masqueraded as official documents or notices from Russian authorities, such as enforcement orders or election committee leaflets. Method: The attackers utilized Amethyst Stealer to collect sensitive information, including authentication credentials, browser data, and configuration files from various applications. Russian Defense Industry Breach: Targeted Entities: Multiple defense-related organizations within Russia. Details: Amethyst Stealer was employed in targeted phishing campaigns aimed at defense contractors and related entities. The malware was used to extract classified information and sensitive communications from these organizations. Method: The malware was delivered through phishing emails disguised as internal documents or official notices, leveraging its capability to exfiltrate authentication data and other sensitive files. Aerospace Engineering Attack: Targeted Entities: Companies within the aerospace engineering sector. Details: The attack focused on extracting data related to aerospace research and development. Amethyst Stealer’s capabilities were used to obtain technical documents and proprietary information. Method: The malware was distributed via spear-phishing emails that appeared to come from trusted industry sources, leading to its deployment on the targeted systems.
References
  • SapphireStealer: A New Open-Source Information Stealer Malware to Look Out For
  • Sapphire Werewolf polishes Amethyst stealer to attack over 300 companies
Tags: Aerospacedata theftEmailsinfostealerMalwareMicrosoft EdgeRussiaSapphireStealerTelegramWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Microsoft Defender Bug Allows SYSTEM Access

Uncanny Automator Bug Risks WordPress Sites

Devs Hit By PyPI Solana Token Secret Theft

Hackers Exploit Output Messenger Zero-Day

ASUS Fixes Critical Flaws in DriverHub

Apple Fixes Critical Bugs in iOS and MacOS

Subscribe to our newsletter

    Latest Incidents

    Alabama Cybersecurity Event Hits Services

    Andy Frain Data Breach Impacts 100k People

    Hong Kong DSC Hit By Ransomware Attack

    Alleged Steam Breach Exposes 89M Records

    Ulhasnagar Municipal Corporation Hacked

    Madison County Iowa Systems Disrupted

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial