Cybersecurity researchers have revealed new details about the threat actor Sticky Werewolf, which has recently expanded its cyber attack campaigns to include entities in Russia and Belarus.
Recent phishing attacks targeted a pharmaceutical company, a Russian microbiology and vaccine research institute, and the aviation sector. These attacks mark an expansion from the group’s previous focus on government organizations, according to a report by Morphisec last week.
“In previous campaigns, the infection chain began with phishing emails containing links to download malicious files from platforms like gofile.io,” said security researcher Arnold Osipov. “This latest campaign used archive files containing LNK files that pointed to a payload stored on WebDAV servers.”
Sticky Werewolf joins a host of other threat actors targeting Russia and Belarus, including Cloud Werewolf (also known as Inception and Cloud Atlas), Quartz Wolf (also known as RedCurl), and Scaly Wolf. First documented by BI.ZONE in October 2023, Sticky Werewolf is believed to have been active since at least April 2023.
🚨 Threat Alert: Sticky Werewolf Targets Russian and Belarusian Entities.
Phishing attacks expand beyond government organizations to pharmaceutical, research, and aviation sectors.
Learn more about the latest campaign: https://t.co/JdkNfZ6EPi#cybersecurity #malware #hacking
— The Hacker News (@TheHackersNews) June 10, 2024
Previous attacks documented by the cybersecurity firm involved phishing emails with links to malicious payloads, which led to the deployment of the NetWire remote access trojan (RAT). The infrastructure supporting NetWire was dismantled early last year following a law enforcement operation.
The new attack chain observed by Morphisec involves an attachment to an RAR archive. When extracted, this archive contains two LNK files and a decoy PDF document, which claims to be an invitation to a video conference. It urges recipients to click on the LNK files to access the meeting agenda and email distribution list.
Opening either LNK file triggers the execution of a binary hosted on a WebDAV server, leading to the launch of an obfuscated Windows batch script. This script is designed to run an AutoIt script that ultimately injects the final payload while bypassing security software and analysis attempts.
“This executable is an NSIS self-extracting archive, which is part of a previously known crypter named CypherIT,” Osipov said. “While the original CypherIT crypter is no longer sold, the current executable is a variant observed in a couple of hacking forums.”
The campaign aims to deliver commodity RATs and information stealer malware such as Rhadamanthys and Ozone RAT.
“While there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists. However, this attribution remains uncertain,” Osipov said.
This development comes as BI.ZONE revealed another activity cluster, codenamed Sapphire Werewolf, which has been linked to over 300 attacks on Russian education, manufacturing, IT, defense, and aerospace sectors. These cyber breaches have been reported using Amethyst, an offshoot of the popular open-source SapphireStealer.
In March 2024, the Russian company also uncovered Fluffy Wolf and Mysterious Werewolf clusters. These clusters used spear-phishing lures to distribute Remote Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor dubbed RingSpy.
Sticky Werewolf’s latest campaign focuses on the aviation industry, employing sophisticated phishing tactics. The attackers pose as representatives from AO OKB Kristall, a Moscow-based company involved in aircraft and spacecraft production and maintenancehttps://t.co/DhNfpKPfsS
— Gray Hats (@the_yellow_fall) June 10, 2024
“The RingSpy backdoor enables an adversary to remotely execute commands, obtain their results, and download files from network resources,” the report noted. “The backdoor’s command-and-control server is a Telegram bot.”
Sticky Werewolf continues to expand its cyber attack targets in Russia and Belarus. Organizations should stay vigilant and enhance their cybersecurity measures.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
