The menace actor often known as Sticky Werewolf has been linked to focused assaults primarily in Russia and Belarus with the purpose of delivering the Lumma Stealer malware via a beforehand undocumented implant.
Cybersecurity firm Kaspersky is monitoring the exercise below the title Indignant Likho, which it mentioned bears a “robust resemblance” to Awaken Likho (aka Core Werewolf, GamaCopy, and PseudoGamaredon).
“Nevertheless, Indignant Likho’s assaults are typically focused, with a extra compact infrastructure, a restricted vary of implants, and a deal with workers of huge organizations, together with authorities businesses and their contractors,” the Russian firm mentioned.
It is suspected that the menace actors are doubtless native Russian audio system given using fluent Russian within the bait information used to set off the an infection chain. Final month, cybersecurity firm F6 (previously F.A.C.C.T.) described it as a “pro-Ukrainian cyberspy group.”
The attackers have been discovered to primarily single out organizations in Russia and Belarus, with lots of of victims recognized within the former.
Earlier intrusion actions related to the group have leveraged phishing emails as a conduit to distribute varied malware households similar to NetWire, Rhadamanthys, Ozone RAT, and a backdoor often known as DarkTrack, the final of which is launched by way of a loader referred to as Ande Loader.
The assault sequence includes using spear-phishing emails bearing a booby-trapped attachment (e.g., archive information), inside that are two Home windows shortcut (LNK) information and a reputable lure doc.
The archive information are answerable for advancing the malicious exercise to the next-stage, unleashing a posh multi-stage course of to deploy the Lumma info stealer.
“This implant was created utilizing the reputable open-source installer, Nullsoft Scriptable Set up System, and capabilities as a self-extracting archive (SFX),” Kaspersky mentioned.
The assaults have been noticed incorporating steps to evade detection by security distributors via a test for emulators and sandboxed environments, inflicting the malware to both terminate or resume after a ten,000 ms delay, a way additionally noticed in Awaken Likho implants.
This overlap has raised the likelihood that the attackers behind the 2 campaigns share the identical know-how or doubtless the identical group utilizing a unique set of instruments for various targets and duties.
Lumma Stealer is designed to collect system and put in software program info from compromised units, in addition to delicate knowledge similar to cookies, usernames, passwords, banking card numbers, and connection logs. It is also able to stealing knowledge from varied net browsers, cryptocurrency wallets, cryptowallet browser extensions (MetaMask), authenticators, and from apps AnyDesk and KeePass.
“The group’s newest assaults use the Lumma stealer, which collects an enormous quantity of knowledge from contaminated units, together with browser-stored banking particulars and cryptowallet information,” Kaspersky mentioned.
“The group depends on available malicious utilities obtained from darknet boards, reasonably than growing its personal instruments. The one work they do themselves is writing mechanisms of malware supply to the sufferer’s machine and crafting focused phishing emails.”
