The risk actor often called Sticky Werewolf has been linked to focused assaults primarily in Russia and Belarus with the goal of delivering the Lumma Stealer malware by the use of a beforehand undocumented implant.
Cybersecurity firm Kaspersky is monitoring the exercise beneath the identify Offended Likho, which it stated bears a “sturdy resemblance” to Awaken Likho (aka Core Werewolf, GamaCopy, and PseudoGamaredon).
“Nonetheless, Offended Likho’s assaults are typically focused, with a extra compact infrastructure, a restricted vary of implants, and a concentrate on workers of huge organizations, together with authorities companies and their contractors,” the Russian firm stated.
It is suspected that the risk actors are probably native Russian audio system given using fluent Russian within the bait recordsdata used to set off the an infection chain. Final month, cybersecurity firm F6 (previously F.A.C.C.T.) described it as a “pro-Ukrainian cyberspy group.”
The attackers have been discovered to primarily single out organizations in Russia and Belarus, with lots of of victims recognized within the former.
Earlier intrusion actions related to the group have leveraged phishing emails as a conduit to distribute numerous malware households resembling NetWire, Rhadamanthys, Ozone RAT, and a backdoor often called DarkTrack, the final of which is launched through a loader referred to as Ande Loader.
The assault sequence entails using spear-phishing emails bearing a booby-trapped attachment (e.g., archive recordsdata), inside that are two Home windows shortcut (LNK) recordsdata and a professional lure doc.
The archive recordsdata are accountable for advancing the malicious exercise to the next-stage, unleashing a posh multi-stage course of to deploy the Lumma info stealer.
“This implant was created utilizing the professional open-source installer, Nullsoft Scriptable Set up System, and features as a self-extracting archive (SFX),” Kaspersky stated.
The assaults have been noticed incorporating steps to evade detection by safety distributors by the use of a examine for emulators and sandboxed environments, inflicting the malware to both terminate or resume after a ten,000 ms delay, a way additionally noticed in Awaken Likho implants.
This overlap has raised the likelihood that the attackers behind the 2 campaigns share the identical expertise or probably the identical group utilizing a special set of instruments for various targets and duties.
Lumma Stealer is designed to collect system and put in software program info from compromised gadgets, in addition to delicate information resembling cookies, usernames, passwords, banking card numbers, and connection logs. It is also able to stealing information from numerous internet browsers, cryptocurrency wallets, cryptowallet browser extensions (MetaMask), authenticators, and from apps AnyDesk and KeePass.
“The group’s newest assaults use the Lumma stealer, which collects an unlimited quantity of knowledge from contaminated gadgets, together with browser-stored banking particulars and cryptowallet recordsdata,” Kaspersky stated.
“The group depends on available malicious utilities obtained from darknet boards, fairly than creating its personal instruments. The one work they do themselves is writing mechanisms of malware supply to the sufferer’s gadget and crafting focused phishing emails.”
