Sticky Werewolf: A New Wave of Cyberattacks Targeting Russia and Belarus
The cybersecurity landscape has recently seen the emergence of a new threat actor known as Sticky Werewolf. This group is linked to targeted cyber operations primarily aimed at organizations in Russia and Belarus, utilizing a newly identified implant designed to deploy the Lumma Stealer malware. According to Kaspersky, a leading cybersecurity firm, these activities are tracked under the name Angry Likho, which showcases distinct parallels to an earlier group known as Awaken Likho, also referred to as Core Werewolf and GamaCopy.
Kaspersky’s analysis indicates that Angry Likho is characterized by a more focused approach, employing a streamlined infrastructure, a limited arsenal of implants, and targeting employees of significant corporations and government entities. It has been observed that the threat actors behind these operations are likely native Russian speakers, as evidenced by the fluent Russian found in bait files that initiate the infection chain.
The primary focus of the attacks has been organizations within Russia and Belarus, with hundreds of victims already identified. F6, another cybersecurity company, recently described this group as a “pro-Ukrainian cyberspy group,” indicating a geopolitical angle to their activities. Historical analysis of the group’s tactics reveals the use of phishing emails to distribute various malware families, including NetWire and Ozone RAT, further demonstrating their evolving methods.
The attack sequence typically involves spear-phishing emails containing compromised attachments, such as archive files that house Windows shortcut files alongside legitimate documents. These archive files act as a gateway for the malware, which initiates a complex multi-stage installation process for the Lumma information stealer. Kaspersky notes that this implant employs an open-source installer (Nullsoft Scriptable Install System) functioning as a self-extracting archive.
To evade detection by security measures, the attackers have implemented various techniques, such as checking for emulators and sandbox environments. This leads the malware to either terminate or delay execution, aligning with tactics noted in Awaken Likho’s operations. The similarities suggest that the actors behind these campaigns may share technological resources or belong to the same group, employing different tools tailored to specific targets and assignments.
The Lumma Stealer is engineered to extract a range of sensitive data, including system information, cookies, usernames, passwords, and even banking card details. Its capabilities extend to harvesting data from multiple web browsers, cryptocurrency wallets, and various applications, including AnyDesk and KeePass. Kaspersky emphasizes that the group’s reliance on accessible malicious utilities from darknet forums, rather than developing bespoke tools, further highlights their operational method. Their main exploits revolve around malicious delivery mechanisms and crafting targeted phishing messages.
In terms of MITRE ATT&CK tactics potentially employed during these attacks, key strategies might include initial access through phishing and attachment exploitation, persistence mechanisms via backdoor installations, and data theft focusing on sensitive information. Given the increasing sophistication of these cyber threats, business owners should remain vigilant and consider strengthening their cybersecurity protocols to mitigate such risks and better defend against emerging adversaries like Sticky Werewolf.
