Sticky Werewolf attacks public organizations in Russia and Belarus

Our cyber threat intelligence experts discover a new group that uses free malware to interfere with government organizations. A characteristic feature of these attackers is the use of popular malware that are easy to detect and block. Nevertheless, this has not stopped Sticky Werewolf from succeeding. The group’s activity can be traced back to April 2023 with at least 30 attacks to date.

Key findings

• Public organizations in Russia and Belarus remain a popular target for espionage.
• The adversaries have been able to effectively exploit even the widespread RAT-type* malware to gain initial access.
• To increase the effectiveness of the notorious program, the adversaries use protectors such as Themida, which makes it difficult to analyze the malware in a virtual environment.

* Remote access trojan

Campaign

To gain initial access to its target systems, Sticky Werewolf used phishing emails with links to malicious downloadables. The links were generated with the help of IP Logger. The tool enabled the adversaries both to create phishing links and to collect information about the victims who clicked them. Thus, they obtained such information as the timestamp, IP address, country, city, browser and operating system versions. This information allowed the adversaries to immediately conduct basic profiling of potentially compromised systems and select the most significant ones, disregarding those related to, for example, sandboxes, research activities, and countries outside the group’s focus.

In addition, IP Logger enabled the criminal group to use their own domain names. This way, the phishing link was made to look as authentic as possible to the victim, for example: hXXps://diskonline[.]net/poryadok-deystviy-i-opoveshcheniya-grazhdanskoy-oborony.pdf.

The phishing links contained malicious files with .exe or .scr extensions that were masked as Microsoft Word or PDF documents. Clicking such a file opened the legitimate document with the proper format and installed Ozone RAT or Darktrack RAT. For instance, an emergency warning from the EMERCOM of Russia was used as a document aimed at distracting the victim (fig. 1).

Fig. 1. An example of a document used by the adversaries

Another example is a court claim application (fig. 2).

Fig. 2. An example of a document used by the adversaries

As for the attacks on Belarusian organizations, among the documents used was a prescription to eliminate some legal code violations (fig. 3).

Fig. 3. An example of a document used by the adversaries

Together with the document, the Ozone RAT loader was copied into the %TEMP% folder under the name of a legitimate application such as utorrent.exe (µTorrent). To gain persistence in the compromised system, a shortcut was created in the autostart folder that indicates a malware sample, for example: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\uTorrent.lnk. Sticky Werewolf used the Themida protector to obfuscate Ozone RAT, making it difficult to detect and analyze.

Ozone RAT has a modular architecture with two key components: the loader and the core module, which encompasses the remote access trojan functionality. In this case, Sticky Werewolf used the Ozone RAT loader.

The core module was unavailable at the time of analysis. However, the loader is known to download an encrypted core module from the C2 server as a DLL file, which is saved as data.dbf to the same directory as the loader. The core module is then decrypted and injected directly into RAM using reflective DLL loading from Delphi via BTMemoryModule. Once injected, the core module takes control and performs malicious actions.

The Ozone RAT core module equips attackers with extensive capabilities to control a compromised system and carry out malicious activities, specifically:

• manage files, processes, and services
• modify entries in the Windows Registry
• record keystrokes using the keylogger module
• record microphone audio, capture screen and webcam video in real time
• execute commands remotely using the Windows command line
• load and run files from the C2 server
• delete artifacts within the system to remove evidence of their presence
• utilize the HVNC module to covertly control a victim’s computer
• extract passwords from web browsers and email clients such as Outlook and Thunderbird
• leverage reverse proxy mode to bypass network restrictions

Conclusions

Free and commercial malware is in high demand among cybercriminals and state‑sponsored groups alike as it provides extensive functionality for just a few dozen dollars. Moreover, such malware does not cease with the arrest of its developer. Programs like this continue to find demand among other threat actors.

Where to look for traces of Sticky Werewolf

1. Beware of suspicious executables running from temporary folders.
2. Track the appearance of executables masked as legitimate applications in unusual file locations.
3. Monitor the access by suspicious processes to files with authentication data related to browsers, email, etc.

MITRE ATT&CK

Indicators of compromise

• 185.12.14[.]32:666;
• yandeksdisk[.]org;
• diskonline[.]net;
• 078859c7dee046b193786027d5267be7724758810bdbc2ac5dd6da0ebb4e26bb;
• 9162ccb4816d889787a7e25ba680684afca1d7f3679c856ceedaf6bf8991e486.

More indicators of compromise are available on the BI.ZONE Threat Intelligence platform.

How to safeguard your company against such threats

Phishing emails are a popular attack vector against organizations. To protect your mail, you can use dedicated filtering solutions to help you keep unwanted email out of your inbox. One such solution is BI.ZONE CESP. It safeguards companies from illegitimate emails by screening each incoming message. More than 600 filtering mechanisms are implemented on the basis of machine learning, statistical, signature, and heuristic analysis. This message validation does not delay the delivery of secure emails.

To better understand the current cyber threat landscape and realize exactly how infrastructures similar to yours are being attacked, we recommend leveraging the data from the BI.ZONE Threat Intelligence platform. The solution helps you proactively protect your business with comprehensive threat intelligence and daily updated indicators of compromise to improve the effectiveness of your information defenses.