Sapphire Werewolf polishes open‑source stealer to spy on Russian organizations

Sapphire Werewolf polishes open‑source stealer to spy on Russian organizations

Since March 2024, a new criminal group Sapphire Wolf has initiated more than 300 attacks on Russian organizations. The threat actor steals sensitive data using a modified stealer. The targeted industries include education, IT, defense, and aerospace engineering
June 5, 2024

Sapphire Werewolf sends out phishing emails with links generated by T.LY URL Shortener. One such link triggers the download of a malicious file instead of the anticipated documents. When opened, the file installs a malicious program, the Amethyst stealer, that hijacks the data.

To reduce the victim’s suspicion, a decoy document pops up simultaneously with the download of the malware. The document can be an enforcement order, a Central Election Committee leaflet, and even a decree from the President of Russia. The URL shortener tool serves the same purpose: to make sure the links look like legitimate.

The Amethyst stealer gathers sensitive information from the compromised computer. For example, password and cookie databases, browser and popular website histories, saved pages, text and other documents, as well as configuration files that enable the attackers to gain access to the victim’s Telegram account. The collected data is archived and transmitted to the adversaries’ Telegram bot.

We are seeing a growing trend for stealers among espionage‑driven groups since late 2023 early 2024. The attackers do not even have to develop such programs from scratch. For instance, the Amethyst stealer employed by the Sapphire Werewolf group is a modification of the open‑source malicious SapphireStealer customized to the attackers’ needs.
Oleg Skulkin
Head of BI.ZONE Threat Intelligence

According to Threat Zone 2024, 15% of attacks on organizations in Russia and other CIS countries over 2023 were driven by espionage, 76% by financial gain, and 9% by hacktivism.

In order to detect Sapphire Werewolf’s methods of gaining persistence on endpoints, we recommend implementing endpoint detection and response solutions, such as BI.ZONE EDR. Meanwhile, you can ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company with BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools.