Sticky Werewolf attacks public organizations in Russia and Belarus

According to the BI.ZONE Cyber Threat Intelligence team, Sticky Werewolf has been active since April 2023 and committed at least 30 attacks.

The adversaries used IP Logger to generate phishing links for their mailing campaign. This enabled them to collect information about the victims: timestamps, IP address, country, city, browser and operating system versions. With such information, the gang was able to do basic profiling right away, filtering out low‑value systems and focusing on high‑priority ones.

In addition, with IP Logger, Sticky Werewolf could use its own domain names when creating the links. This made it harder to recognize phishing because the address does not look suspicious.

The phishing links contained malicious files with .exe or .scr extensions that were masked as Microsoft Word or PDF documents. Clicking such a file opened the expected document (e.g., an emergency warning from the EMERCOM of Russia, a court claim application, or a prescription to eliminate some violations). At the same time, the NetWire RAT malware was installed on the device in the background. It allowed the adversaries to collect information about the compromised system, obtain keystroke data, capture screen and webcam video, record microphone audio, and perform other acts of espionage.

NetWire was copied to a temporary folder on the device under the false appearance of a legitimate application. To make it even harder to detect, Sticky Werewolf used the Themida protector, which provides obfuscation to counteract the analysis of the malicious sample.

Earlier, BI.ZONE published a research dedicated to attacks that leveraged leaked ransomware against Russian companies, and also reported on cases of malware distribution under the guise of legal requirements from the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).