The threat actor known as Sticky Wearwolf is primarily linked to targeted attacks in Russia and Belarus, and is intended to deliver Lumma Stealer malware using previously undocumented implants.
Cybersecurity company Kaspersky tracks activities under the name Angry Likho. This is said to be a “strong similarity” that awakened to Likho (aka Core Werewolf, Gamacopy, and Pseudogamaderon).
“However, the angry Rikho attacks tend to focus on more compact infrastructure, limited range of implants, and employees of large organizations, including government agencies and their contractors,” the Russian company said.
Given the use of fluent Russian in the bait files used to cause infection chains, it is suspected that the threat actor is likely to be native Russian speakers. Last month, cybersecurity company F6 (formerly Cont) described it as “Procrane’s Cyberspie Group.”
The attackers are known to be primarily a single organisation in Russia and Belarus, with hundreds of casualties identified in the former.
Previous intrusion activities associated with the group utilize phishing email as a conduit for distributing various malware families, including Netwire, Rhadamanthys, Ozone Rat, and backdoors known as DarkTrack.
Attack sequences involve the use of spear phishing emails with attachments (such as archive files) trapped in a booby. Among them are two Windows Shortcuts (LNK) files and a legitimate lure document.
The archive file takes malicious activity to the next stage, unlocking complex multi-stage processes, and deploying Lumma Information Stealer.
“The implant was created to serve as a legal open source installer, a Nullsoft Scriptable installation system, and a self-extracting archive (SFX),” says Kaspersky.
It has been observed that the attack incorporates steps to avoid detection by security vendors using emulators and sandbox environment checks, ending or restarting the malware after a 10,000 ms delay.
This overlap makes it more likely that the attackers behind two campaigns share the same technology or the same group.
Lumma Stealer is designed to collect system information and installed software information from compromised devices as well as sensitive data such as cookies, usernames, passwords, bank card numbers, and connection logs. You can also steal data from a variety of web browsers, cryptocurrency wallets, Cryptowallet browser extension (metamask), authenticators, and Anydesk and Keepass.
“The group’s latest attacks use Lumma Stealer, which collects a huge amount of data from infected devices, including bank details stored by browsers and Cryptowallet files,” says Kaspersky.
“The group relies on easily available malicious utilities obtained from the DarkNet forum, rather than developing their own tools. The only thing they do is create a mechanism for malware delivery to victims’ devices and create targeted phishing emails.”
Source link
