Amethyst | |
Type of Malware | Infostealer |
Country of Origin | Unknown |
Date of initial activity | 2024 |
Targeted Countries | Russia |
Associated Groups | Sapphire Warewolf |
Motivation | Data Theft |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Type of information Stolen | Browser Data |
Overview
The Sapphire Werewolf group has made headlines with its recent wave of attacks using the Amethyst Stealer, targeting over 300 companies across various industries in Russia. This campaign, which began in March 2024, has primarily focused on sectors such as education, manufacturing, IT, defense, and aerospace engineering. The threat actors behind Sapphire Werewolf have cleverly modified the open-source SapphireStealer, transforming it into a potent tool for espionage and data theft, capable of gathering extensive authentication data from compromised systems.
The group’s tactics involve sophisticated phishing campaigns, where malicious files are disguised as official documents, such as decrees from the President of Russia or leaflets from the Central Election Committee. Once these files are executed by unsuspecting victims, the Amethyst Stealer infiltrates the system, creating persistence through the Windows Task Scheduler and initiating a series of actions to collect sensitive information. The stolen data is then exfiltrated to the attackers’ Command and Control (C2) servers, often using encrypted channels and Telegram bots to maintain stealth.
Targets
Education: Educational institutions and organizations within Russia.
Manufacturing: Companies involved in various manufacturing processes.
Information Technology (IT): Firms and organizations that operate within the IT sector.
Defense: Entities related to the defense sector, including military and defense contractors.
Aerospace Engineering: Companies involved in aerospace technology and engineering.
How they operate
Amethyst Stealer operates with a blend of technical sophistication and deceptive tactics to infiltrate systems. The initial phase often involves phishing attacks, where malicious emails disguised as legitimate documents or notifications trick users into opening infected attachments. Once the payload is executed, Amethyst creates a folder within the %AppData% directory and deploys its core component, disguised as MicrosoftEdgeUpdate.exe. This initial setup allows the malware to persist on the system by creating a scheduled task using Windows Task Scheduler. This task, named MicrosoftEdgeUpdateTaskMachineCore, ensures that the malware remains active and continues its malicious activities every 60 minutes.
Once installed, Amethyst Stealer engages in a comprehensive data collection campaign. It targets a broad spectrum of information, including authentication credentials, browser data, and configuration files from applications such as Telegram and FileZilla. The malware extracts data from various sources, including browser history, saved passwords, and sensitive files from user directories. This data is then archived and encrypted, with the archive being sent to a command and control (C2) server operated via Telegram bots. The use of Telegram for C2 communications underscores the malware’s reliance on common, yet effective, channels to evade detection and maintain control.
Amethyst’s persistence mechanisms are designed to be particularly challenging to detect. By embedding itself in system processes and creating scheduled tasks, the malware ensures that it remains on the compromised system despite attempts to remove it. Additionally, its use of encrypted archives for exfiltration adds a layer of complexity, making it harder for traditional security solutions to identify and mitigate the threat.
MITRE Tactics and Techniques
Initial Access:
Phishing (T1566): The malware is delivered via phishing emails with malicious attachments or links, often disguised as legitimate documents or notifications.
Execution:
Command and Scripting Interpreter (T1059): Uses command-line tools to execute payloads or delete files.
Scheduled Task/Job (T1053): Creates scheduled tasks to ensure persistence, using Windows Task Scheduler to run the malware periodically.
Persistence:
Scheduled Task/Job (T1053): As mentioned, the malware uses scheduled tasks to maintain its presence on the system.
Collection:
Data from Information Repositories (T1213): Collects various types of sensitive data, including authentication credentials, browser data, and configuration files from applications like Telegram and FileZilla.
Exfiltration:
Exfiltration Over Command and Control Channel (T1041): Sends the collected data to command and control (C2) servers, often using Telegram bots to transfer information.
Command and Control:
Application Layer Protocol (T1071): Utilizes Telegram for C2 communication, sending data and receiving commands.
Domain Generation Algorithm (T1483): May use dynamically generated domains or channels for C2 communications.
Impact / Significant Attacks
Sapphire Werewolf Campaign:
Targeted Sectors: Education, manufacturing, IT, defense, and aerospace engineering sectors.
Details: Since March 2024, the Sapphire Werewolf threat actor group has used Amethyst Stealer in over 300 attacks. The malware was distributed via phishing emails that masqueraded as official documents or notices from Russian authorities, such as enforcement orders or election committee leaflets.
Method: The attackers utilized Amethyst Stealer to collect sensitive information, including authentication credentials, browser data, and configuration files from various applications.
Russian Defense Industry Breach:
Targeted Entities: Multiple defense-related organizations within Russia.
Details: Amethyst Stealer was employed in targeted phishing campaigns aimed at defense contractors and related entities. The malware was used to extract classified information and sensitive communications from these organizations.
Method: The malware was delivered through phishing emails disguised as internal documents or official notices, leveraging its capability to exfiltrate authentication data and other sensitive files.
Aerospace Engineering Attack:
Targeted Entities: Companies within the aerospace engineering sector.
Details: The attack focused on extracting data related to aerospace research and development. Amethyst Stealer’s capabilities were used to obtain technical documents and proprietary information.
Method: The malware was distributed via spear-phishing emails that appeared to come from trusted industry sources, leading to its deployment on the targeted systems.
