Sapphire Werewolf | |
Location | Unknown |
Date of initial activity | 2024 |
Suspected Attribution | Unknown |
Government Affiliation | No |
Motivation | Cyberwarfare |
Associated Tools | Amethyst (an offshoot of SapphireStealer) |
Software | Windows |
Overview
Sapphire Werewolf is a sophisticated threat actor that has emerged as a significant player in the cyber espionage landscape since March 2024. This cluster of malicious activity targets a wide range of Russian industries, including education, manufacturing, IT, defense, and aerospace engineering. With a focus on acquiring sensitive employee authentication data, Sapphire Werewolf employs a blend of tactics that leverage both open-source and custom-built malware tools. Their primary weapon of choice is Amethyst, a modified version of the SapphireStealer open-source tool, designed to infiltrate systems through meticulously crafted phishing campaigns.
Common targets
Sapphire Werewolf primarily targets industries within Russia, including:
- Education
- Manufacturing
- IT
- Defense
- Aerospace Engineering
Attack Vectors
Phishing
Software Vulnerabilities
How they operate
The attack lifecycle initiated by Sapphire Werewolf begins with a phishing campaign that employs deceptive emails to lure victims into downloading malicious attachments. These emails often come disguised as seemingly benign documents such as enforcement orders or official decrees. Once the recipient opens the attachment, a payload embedded within the file creates a hidden directory under %AppData%\Microsoft\EdgeUpdate, where it deposits a file named MicrosoftEdgeUpdate.exe. This file is crucial for the threat actor’s strategy as it ensures the malware’s persistence by creating a scheduled task in Windows Task Scheduler. This task, cleverly named MicrosoftEdgeUpdateTaskMachineCore, is set to execute every 60 minutes, thereby maintaining the malware’s foothold on the system.
Upon execution, the malware performs several actions to secure its position within the victim’s network. It writes a decoy document to distract the user while it runs the Amethyst stealer. This stealer, a modified version of SapphireStealer, is designed to harvest a wide array of sensitive information. It collects credentials, cookies, and configuration files from various applications and browsers, including popular ones like Chrome, Opera, and Firefox. Additionally, the stealer targets files from Telegram Desktop and removable media, archiving them for exfiltration.
The data collection process involves creating a UUID-named folder in a temporary directory, where all collected information is stored. After gathering the data, the stealer compresses it into an encrypted archive and sends it to a Command and Control (C2) server through a Telegram bot. This communication is secured through multiple Telegram tokens and user IDs to ensure persistent access even if primary tokens become unavailable. The stealer also retrieves additional control server addresses by scraping Telegram channels, further enhancing its operational flexibility.
Sapphire Werewolf’s choice of Amethyst and the methodical approach to data collection and exfiltration highlight the group’s capability to adapt and refine existing tools to meet their objectives. Their use of established software libraries and scheduled tasks to achieve persistence demonstrates a clear understanding of evasion techniques, making detection and mitigation challenging for targeted organizations.
MITRE Tactics and Techniques
Phishing – T1566: The threat actor uses phishing emails with T.LY links to deliver the Amethyst stealer.
Scheduled Task/Job – T1053: The adversaries create a scheduled task in Windows Task Scheduler to maintain persistence.
Masquerading – T1036: The malware disguises itself as legitimate files, such as MicrosoftEdgeUpdate.exe.
Data Staged – T1074: Collected data is stored in a UUID-named folder before being sent to the C2 server.
Data Exfiltration – T1041: Data is exfiltrated via a Telegram bot, including sensitive files and credentials.
Command and Control – T1071: Communication with the C2 server is conducted through Telegram.