Sticky Werewolf attacks public organizations in Russia and Belarus

Our cyber threat intelligence experts discover a new group that uses presumably legitimate software to interfere with government organizations. A characteristic feature of these attackers is the use of popular tools that are easy to detect and block. Nevertheless, this has not stopped Sticky Werewolf from succeeding. The group’s activity can be traced back to April 2023 with at least 30 attacks to date.

Key findings

• Public organizations in Russia and Belarus remain a popular target for espionage.
• The adversaries have been able to effectively exploit even the widespread RAT-type* malware to gain initial access.
• To increase the effectiveness of the notorious program, the adversaries use protectors such as Themida, which makes it difficult to analyze the malware.

* Remote administration tool (RAT) is a software that enables complete remote control of a computer device

Campaign

To gain initial access to its target systems, Sticky Werewolf used phishing emails with links to malicious downloadables. The links were generated with the help of IP Logger. The tool enabled the adversaries both to create phishing links and to collect information about the victims who clicked them. Thus, they obtained such information as the timestamp, IP address, country, city, browser and operating system versions. This information allowed the adversaries to immediately conduct basic profiling of potentially compromised systems and select the most significant ones, disregarding those related to, for example, sandboxes, research activities, and countries outside the group’s focus.

In addition, IP Logger enabled the criminal group to use their own domain names. This way, the phishing link was made to look as authentic as possible to the victim, for example: hXXps://diskonline[.]net/poryadok-deystviy-i-opoveshcheniya-grazhdanskoy-oborony.pdf.

The phishing links contained malicious files with .exe or .scr extensions that were masked as Microsoft Word or PDF documents. Clicking such a file opened the legitimate document with the proper format and installed the NetWire RAT. For instance, an emergency warning from the EMERCOM of Russia was used as a document aimed at distracting the victim (fig. 1).

Fig. 1. An example of a document used by the adversaries

Another example is a court claim application (fig. 2).

Fig. 2. An example of a document used by the adversaries

As for the attacks on Belarusian organizations, among the documents used was a prescription to eliminate some legal code violations (fig. 3).

Fig. 3. An example of a document used by the adversaries

Together with the document, NetWire was copied into the folder C:\Users\User\AppData\Local\Temp under the name of a legitimate application such as utorrent.exe (µTorrent). To gain persistence in the compromised system, a shortcut was created in the autostart folder that indicates a malware sample, for example: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uTorrent.lnk. Sticky Werewolf used the Themida protector to obfuscate NetWire, making it difficult to detect and analyze.

NetWire allowed the criminals to gather information about the compromised system and perform the following actions:

• manage files, processes, services, windows, as well as installed applications and network connections
• edit the Windows Registry
• modify and retrieve data from the clipboard
• obtain keystroke data
• capture screen and webcam video, and record microphone audio in real time
• execute commands remotely using the Windows command line
• obtain authentication data from various sources
• load and run files
• read and edit the file C:\Windows\System32\drivers\etc\hosts
• retrieve lists of network folders and devices on the local network
• perform network scanning

Notably, in March 2023, an individual who had been selling NetWire as legitimate software for several years, was apprehended in Croatia. Meanwhile, the domain name used to distribute the software, as well as the server, was seized.

Conclusions

Commercial malware is in high demand among cybercriminals and state-sponsored groups alike as it provides extensive functionality for just a few dozen dollars. Moreover, such malware does not cease with the arrest of its developer. Programs like this continue to find demand among other threat actors.

Where to look for traces of Sticky Werewolf

1. Beware of suspicious executables running from temporary folders.
2. Track the appearance of executables masked as legitimate applications in unusual file locations.
3. Monitor the access by suspicious processes to files with authentication data, related to browsers, email, etc.

MITRE ATT&CK

Indicators of compromise

• 185.12.14[.]32:666;
• yandeksdisk[.]org;
• diskonline[.]net;
• 078859c7dee046b193786027d5267be7724758810bdbc2ac5dd6da0ebb4e26bb;
• 9162ccb4816d889787a7e25ba680684afca1d7f3679c856ceedaf6bf8991e486.

More indicators of compromise are available on the BI.ZONE ThreatVision platform.

How to safeguard your company against such threats

Phishing emails are a popular attack vector against organizations. To protect your mail, you can use dedicated filtering solutions to help you keep unwanted email out of your inbox. One such solution is BI.ZONE CESP. It safeguards companies from illegitimate emails by screening each inbound message. More than 600 filtering mechanisms are implemented on the basis of machine learning, statistical, signature, and heuristic analysis. This message validation does not delay the delivery of secure emails.

To better understand the current cyber threat landscape and realize exactly how infrastructures similar to yours are being attacked, we recommend leveraging the data from the BI.ZONE ThreatVision platform. The solution helps you proactively protect your business with comprehensive threat intelligence and daily updated indicators of compromise to improve the effectiveness of your information defenses.

Phishing emails are a popular attack vector against organizations. To protect your mail, you can use dedicated filtering solutions to help you keep unwanted email out of your inbox. One such solution is BI.ZONE CESP. It safeguards companies from illegitimate emails by screening each inbound message. More than 600 filtering mechanisms are implemented on the basis of machine learning, statistical, signature, and heuristic analysis. This message validation does not delay the delivery of secure emails.

To better understand the current cyber threat landscape and realize exactly how infrastructures similar to yours are being attacked, we recommend leveraging the data from the BI.ZONE ThreatVision platform. The solution helps you proactively protect your business with comprehensive threat intelligence and daily updated indicators of compromise to improve the effectiveness of your information defenses.