Sapphire Werewolf refines Amethyst stealer to attack energy companies
BI.ZONE Threat Intelligence keeps a close eye on Sapphire Werewolf’s activity. Recent findings indicate that the attackers have been using the updated Amethyst stealer, an opensource malware distributed via phishing emails. This time, the cluster targeted energy companies.
- The adversaries are improving their own tools to get around security solutions more effectively.
- The latest version of the Amethyst stealer features advanced checks for virtualized environments and employs the Triple DES algorithm for string encryption.
- By exploiting credentials, the threat actor can infiltrate a wide range of information systems, gaining access to sensitive data.
Sapphire Werewolf disguises a malicious attachment as an official memo and sends it to its victim, posing as an HR representative.
The email includes a memo archive Служебная записка .rar which contains an executable Служебная записка .exe with a fake PDF icon. This is a C#‑based malware protected with .NET Reactor.
The malicious file is a .NET loader that carries a Base64-encoded payload (a PE file).
The Base64 string is decoded into a byte array, loaded into memory, and executed using Assembly.Load() and the Invoke() method.
The PE file is the Amethyst stealer, also protected with .NET Reactor. Similar to previously analyzed instances of this malware, the new sample downloads malicious files into the DotNetZip.dll helper library memory (Ionic’s Zip Library version 1.16) for file compression. It then sends system data, including the IP address and a string indicating whether the machine is a virtual machine (VM) or not (VM or NOT_VM), to the following address: hxxp://canarytokens[.]com/traffic/tags/static/xjemqlqirwqru9pkrh3j4ztmf/payments.js.
The User-Agent string begins with the word Brussel, which is presumably the campaign ID.
The BI.ZONE Threat Intelligence team also registered malware calls to wondrous-bluejay-lively.ngrok-free[.]app and to checkip.dyndns[.]org for IP verification/lookup.
The Amethyst stealer also uses its resources to extract and execute a decoy PDF document.
The updated Amethyst stealer features the following special capabilities:
- Advanced checks for VM environments, enabling the malware to:
- attempt to retrieve a file descriptor specific to a VirtualBox VM
-
check for a registry key used by VMware Tools
-
check the hardware manufacturer and model via WMI
-
check the processor manufacturer, including Parallels
-
check the motherboard manufacturer and BIOS details
-
check the disk model data
-
check plug and play devices
-
check services
-
check if the VM-associated registry keys have been modified in the last month
-
exploits WMI to gather extensive data about the compromised system
- attempt to retrieve a file descriptor specific to a VirtualBox VM
- It is also noteworthy that the updated stealer uses the Triple DES symmetric algorithm. However, unlike .NET loaders that encrypt the code in its entirety, Triple DES covers almost every single string that comprises an argument of the functions called by the malware.
The Amethyst stealer retrieves:
- credentials from Telegram and various browsers, including Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa, and Edge Chromium, as well as FileZilla and SSH configuration files
- configuration files from remote desktops and VPN clients
- various types of documents, including those stored on removable media
93d048364909018a492c8f709d38543894034e04636bc4450273b50b07b45f636ff59b054149b07d9fdcd04b34efa0a64e47a1b9581ff9d1f670ea552b7c93fb66199b5f
More indicators of compromise are available on the BI.ZONE Threat Intelligence portal.
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access | Phishing |
Uses phishing emails |
| Execution | User Execution: Malicious File |
Prompts the victim to download and run the malicious file to initiate the compromise process |
Command and Scripting Interpreter: Windows Command Shell |
Uses the Windows command line to run commands |
|
Windows Management Instrumentation |
Uses WMI to run commands |
|
| Persistence | Scheduled Task/Job: Scheduled Task |
Creates jobs in Windows Task Scheduler to gain a foothold in the compromised system |
| Defense Evasion | Indicator Removal: File Deletion |
Deletes the file after execution |
Masquerading: Match Legitimate Name or Location |
Disguises malicious files as legitimate documents |
|
Deobfuscate/Decode Files or Information |
Decrypts function strings in runtime |
|
Obfuscated Files or Information: Software Packing |
Both the loader and the stealer are protected with .NET Reactor |
|
Obfuscated Files or Information: Embedded Payloads |
The loader contains a Base64-encoded PE file |
|
Obfuscated Files or Information: Command Obfuscation |
The new Amethyst stealer version feeds Triple DES‑encrypted strings to methods |
|
Virtualization/Sandbox Evasion: System Checks |
Enables advanced checks for virtualized environments |
|
| Credential Access | Steal Web Session Cookie |
Collects cookies from browsers |
Credentials from Password Stores: Credentials from Web Browsers |
Collects passwords saved in browsers |
|
| Discovery | System Network Configuration Discovery |
Retrieves the public and private IP addresses of the compromised system |
System Information Discovery |
Collects information about the compromised system |
|
| Collection | Data from Local System |
Retrieves files from the compromised system |
Data from Removable Media |
Retrieves files from removable media |
|
Data Staged: Local Data Staging |
Copies the collected data into a folder in the compromised system |
|
Archive Collected Data |
Archives the collected data before sending it to the C2 server |
|
Automated Collection |
Performs automated collection |
|
| Command and Control | Web Service: Bidirectional Communication |
Uses a Telegram bot as the C2 server |
Ingress Tool Transfer |
Transfers additional files to the compromised system |
|
| Exfiltration | Exfiltration Over Web Service |
Uses Telegram to exfiltrate the collected data |
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_creation_task_that_run_file_from_suspicious_folderwin_possible_browser_stealer_activitywin_suspicious_access_to_software_sensitive_files
We would also recommend that you monitor suspicious activity related to:
- running suspicious executable files from the
%Temp%folder - running executables resembling system files from unusual folders
- creating scheduled tasks not typical for the organization
- opening sensitive files through unusual processes
- accessing external finders of IP addresses
Like many other clusters, Sapphire Werewolf employs phishing emails to gain initial access to a victim’s infrastructure. These risks can be mitigated with email protection solutions like BI.ZONE Mail Security. The service features a highperformance engine of our own design and incorporates various methods of email traffic analysis.
Building an effective cybersecurity strategy requires an understanding of the threats you are up against. This means you need to know the adversaries’ methods and tools while keeping a close eye on the most recent threats. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current attacks, threat actors, their methods and tools, as well as data from underground resources. This intelligence can help you stay proactive and accelerate your incident response.