The new attack chain uses a RAR archive attachment that, upon extraction, contains two LNK files and a phony PDF document that invites recipients to a video conference and instructs them to click on the LNK files to obtain the agenda and email distribution list. When one of the LNK files is opened, a WebDAV server-hosted binary is executed, and an obfuscated Windows batch script is then launched. In turn, the script is made to circumvent security software and analysis attempts by executing an AutoIt script that injects the final payload.

This executable, an NSIS self-extracting archive, is a component of the CypherIT crypter. Although the original CypherIT crypter is no longer available for purchase, several hacker forums have noted that the current executable is a variation. Delivering commodity RATs and information-stealing malware, such as Rhadamanthys and Ozone RAT, is the campaign's ultimate objective.

The Sticky Werewolf threat group lacks conclusive proof linking it to a particular country of origin, but the geopolitical setting raises the possibility of connections to hacktivists or a pro-Ukrainian cyber espionage group. As a result of Amethyst, an open-source offshoot of the well-known SapphireStealer, over 300 attacks on the Russian education, manufacturing, IT, defense, and aerospace engineering sectors have been linked to an activity cluster codenamed Sapphire Werewolf.

In March 2024, the researchers also discovered clusters known as Fluffy Wolf and Mysterious Werewolf, which disseminated Remote Utilities, XMRig miner, WarZone RAT, and a custom backdoor called RingSpy through spear-phishing lures. An attacker can remotely execute operations, retrieve their outcomes, and download files from network resources with the help of the RingSpy backdoor. A Telegram bot serves as the command-and-control server for the backdoor.

Impact

• Security Bypass
• Sensitive Data Theft
• Cyber Espionage
• Unauthorized Access

Indicators of Compromise

Domain Name

• document-cdn.org

IP

• 79.132.128.47
• 94.156.8.166
• 94.156.8.211

MD5

• d4b75a8318befdb1474328a92f0fc79d
• 2bc840a360f3bc58788c32805c7c8849
• 6892abc8eb5833b7a142bb88dc0bc1c5
• 5132cbde40a752aa50a6b45e4b29512b
• 9ed5a7b6e69198eee0b1742c20141d3d

SHA-256

• 05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9
• 03ee2011ad671b1781015024ea53edfbff92c28c2b123bba02d6a6f462e74105
• 1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4
• c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0
• ce2b6d3aad07d3dec2b24f676cc9d2022bab5a086c7e773f9cfa3e7b7dc6d66a

SHA1

• 613bbcc11ea7b72e6a9e1b0dc67ba67173e4a3e4
• 60de4d99d793c1180b46a1025adaf028453daee8
• 1fffe7b13151711bc2df8a2631f77a1c35ae8bec
• db1deb3a5f1452935117a27134ffca86e3687dab
• 8d8dac4463c12d4fe106ca801f7c81874d4fb430

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.