The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant.
Cybersecurity company Kaspersky is tracking the activity under the name Angry Likho, which it said bears a “strong resemblance” to Awaken Likho (aka Core Werewolf, GamaCopy, and PseudoGamaredon).
“However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors,” the Russian company said.
It’s suspected that the threat actors are likely native Russian speakers given the use of fluent Russian in the bait files used to trigger the infection chain. Last month, cybersecurity company F6 (formerly F.A.C.C.T.) described it as a “pro-Ukrainian cyberspy group.”
The attackers have been found to mainly single out organizations in Russia and Belarus, with hundreds of victims identified in the former.
Previous intrusion activities associated with the group have leveraged phishing emails as a conduit to distribute various malware families such as NetWire, Rhadamanthys, Ozone RAT, and a backdoor known as DarkTrack, the last of which is launched via a loader called Ande Loader.
The attack sequence involves the use of spear-phishing emails bearing a booby-trapped attachment (e.g., archive files), within which are two Windows shortcut (LNK) files and a legitimate lure document.
The archive files are responsible for advancing the malicious activity to the next-stage, unleashing a complex multi-stage process to deploy the Lumma information stealer.
“This implant was created using the legitimate open-source installer, Nullsoft Scriptable Install System, and functions as a self-extracting archive (SFX),” Kaspersky said.
The attacks have been observed incorporating steps to evade detection by security vendors by means of a check for emulators and sandboxed environments, causing the malware to either terminate or resume after a 10,000 ms delay, a technique also spotted in Awaken Likho implants.
This overlap has raised the possibility that the attackers behind the two campaigns share the same technology or likely the same group using a different set of tools for different targets and tasks.
Lumma Stealer is designed to gather system and installed software information from compromised devices, as well as sensitive data such as cookies, usernames, passwords, banking card numbers, and connection logs. It’s also capable of stealing data from various web browsers, cryptocurrency wallets, cryptowallet browser extensions (MetaMask), authenticators, and from apps AnyDesk and KeePass.
“The group’s latest attacks use the Lumma stealer, which collects a vast amount of data from infected devices, including browser-stored banking details and cryptowallet files,” Kaspersky said.
“The group relies on readily available malicious utilities obtained from darknet forums, rather than developing its own tools. The only work they do themselves is writing mechanisms of malware delivery to the victim’s device and crafting targeted phishing emails.”
