Expanding Cyber Threats: Sticky Werewolf Targets Russia and Belarus

Introduction

The cyber threat landscape is constantly evolving, with new threat actors emerging and expanding their targets. Cybersecurity researchers have recently revealed information about a threat actor named Sticky Werewolf, who has been associated with cyber attacks on organizations in Russia and Belarus. This development highlights the critical need for robust cybersecurity measures, including stolen credentials detection, darknet monitoring services, and dark web surveillance.

Sticky Werewolf's Expanding Reach

Sticky Werewolf has shifted its focus from targeting government organizations to a broader range of entities, including a pharmaceutical company, a Russian research institute involved in microbiology and vaccine development, and the aviation sector. These phishing attacks represent an expansion of the threat actor's initial targets.

In earlier campaigns, the attack sequence started with phishing emails that included a link to download a malicious file from sites like gofile.io. In the most recent campaign, the attackers used archive files with LNK files that were directed to a payload hosted on WebDAV servers.

Evolution of the Attack Chain

Sticky Werewolf's tactics have evolved, now employing RAR archive attachments that contain two LNK files and a decoy PDF document. The decoy, disguised as an invitation to a video conference, urges recipients to click on the LNK files to access the meeting agenda and email distribution list. Opening these LNK files triggers the execution of a binary hosted on a WebDAV server, launching an obfuscated Windows batch script. This script runs an AutoIt script that injects the final payload while bypassing security software and analysis attempts.

"This executable is an NSIS self-extracting archive, part of a previously known crypter named CypherIT,". "While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in a couple of hacking forums.

The ultimate goal of these attacks is to deliver commodity remote access trojans (RATs) and information stealer malware such as Rhadamanthys and Ozone RAT.

Broader Cybersecurity Context

Sticky Werewolf is part of a larger group of threat actors targeting Russia and Belarus, including Cloud Werewolf (also known as Inception and Cloud Atlas), Quartz Wolf, Red Wolf (also known as RedCurl), and Scaly Wolf. Documented by BI.ZONE in October 2023, Sticky Werewolf has been active since at least April 2023. These actors employ various techniques, including phishing emails with malicious payloads, leading to the deployment of malware like the NetWire RAT.

In the latest attacks observed, the compromised data underscores the importance of digital footprint analysis and compromised data tracking. Effective darknet monitoring services and dark web surveillance are crucial in identifying and mitigating these sophisticated threats.

Geopolitical Implications

While there is no definitive evidence pointing to a specific national origin for Sticky Werewolf, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists. However, this attribution remains uncertain.

Recent developments also include BI.ZONE's discovery of an activity cluster named Sapphire Werewolf, responsible for over 300 attacks on Russian education, manufacturing, IT, defense, and aerospace engineering sectors. These attacks utilized Amethyst, an offshoot of the open-source SapphireStealer.

Additionally, clusters referred to as Fluffy Wolf and Mysterious Werewolf have been uncovered, using spear-phishing lures to distribute various malware, including Remote Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor dubbed RingSpy. According to BI.ZONE, the RingSpy backdoor allows attackers to execute commands remotely, retrieve the results, and download files from network resources. "The backdoor's [command-and-control] server is a Telegram bot."

Conclusion

The expanding reach and evolving tactics of threat actors like Sticky Werewolf highlight the dynamic nature of cybersecurity threats. Organizations must prioritize advanced security measures such as stolen credentials detection, darknet monitoring services, and dark web surveillance. Implementing comprehensive digital footprint analysis, brand protection, and brand impersonation defense strategies is crucial to safeguarding against these sophisticated cyber threats. Moreover, online risk evaluation and digital threat scoring can help organizations stay ahead of potential threats, ensuring robust protection in an increasingly hostile digital environment. Stay vigilant and prioritize security to safeguard against these formidable adversaries.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.