Sticky Werewolf attacks public organizations in Russia and Belarus

Sticky Werewolf attacks public organizations in Russia and Belarus

Sticky Werewolf used phishing emails with malicious links to gain access to the systems of government organizations in Russia and Belarus. The links were created using Malware as a Service
October 12, 2023

According to the BI.ZONE Cyber Threat Intelligence team, Sticky Werewolf has been active since April 2023 and committed at least 30 attacks.

The adversaries used IP Logger to generate phishing links for their mailing campaign. This enabled them to collect information about the victims: timestamps, IP address, country, city, browser and operating system versions. With such information, the gang was able to do basic profiling right away, filtering out low‑value systems and focusing on high‑priority ones.

In addition, with IP Logger, Sticky Werewolf could use its own domain names when creating the links. This made it harder to recognize phishing because the address does not look suspicious.

The phishing links contained malicious files with .exe or .scr extensions that were masked as Microsoft Word or PDF documents. Clicking such a file opened the expected document (e.g., an emergency warning from the EMERCOM of Russia, a court claim application, or a prescription to eliminate some violations). At the same time, the NetWire RAT malware was installed on the device in the background. It allowed the adversaries to collect information about the compromised system, obtain keystroke data, capture screen and webcam video, record microphone audio, and perform other acts of espionage.

NetWire was copied to a temporary folder on the device under the false appearance of a legitimate application. To make it even harder to detect, Sticky Werewolf used the Themida protector, which provides obfuscation to counteract the analysis of the malicious sample.

Malware as a Service provides adversaries with a wide range of capabilities at a moderate price. This is why it is in high demand among cybercriminals and foreign state‑sponsored groups. Moreover, such software does not cease with the arrest of its developer. Programs like this continue to find demand among other threat actors.
Oleg Skulkin
Head of Cyber Threat Intelligence, BI.ZONE

Earlier, BI.ZONE published a research dedicated to attacks that leveraged leaked ransomware against Russian companies, and also reported on cases of malware distribution under the guise of legal requirements from the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).