Hackers have developed their own open-source malware based on SapphireStealer.
BI. ZONE has warned about the activity of the hacker group Sapphire Werewolf, which has been conducting cyber attacks against Russian organizations since the beginning of March 2024. During this period, attackers initiated more than 300 attacks aimed at stealing data in the fields of education, IT, the military-industrial complex and the aerospace industry.
To break into corporate networks, hackers sent phishing emails to victims with links created using the shortener service. T.LY. These links led to malicious files disguised as pseudo-official documents. When they were opened, a malicious program was installed on infected computers-the Amethyst styler for data theft.
To increase the reliability of the attack, in parallel with downloading malware, distracting legitimate documents were opened, for example, a decree, a CEC leaflet, or a decree of the President of the Russian Federation. Shortener Service T.LY it was used to make links to malware look plausible.
All malicious files used by the attackers in the framework of the campaign had similar functional features.
After the victim opens the malicious file, the %AppData%\Microsoft\EdgeUpdate folder is created, and then from the Resources resource.MicrosoftEdgeUpdate a file is written to it MicrosoftEdgeUpdate.exe.
To ensure persistence on a compromised system, a task is created in the scheduler using the FunnyCat library built into the executable file.Microsoft.Win32.TaskScheduler.dll. This is a legitimate library that allows you to create tasks in the scheduler without directly executing schtasks. The name, description, and path to the executable file in the task are disguised as a legitimate MicrosoftEdgeUpdateTaskMachineCore task. The created task is executed every 60 minutes after it starts.
The stealer collected the following files:
More indicators of compromise, as well as a detailed description of the tactics, techniques, and procedures of this activity cluster, are available on the company's portal.
BI. ZONE has warned about the activity of the hacker group Sapphire Werewolf, which has been conducting cyber attacks against Russian organizations since the beginning of March 2024. During this period, attackers initiated more than 300 attacks aimed at stealing data in the fields of education, IT, the military-industrial complex and the aerospace industry.
To break into corporate networks, hackers sent phishing emails to victims with links created using the shortener service. T.LY. These links led to malicious files disguised as pseudo-official documents. When they were opened, a malicious program was installed on infected computers-the Amethyst styler for data theft.
To increase the reliability of the attack, in parallel with downloading malware, distracting legitimate documents were opened, for example, a decree, a CEC leaflet, or a decree of the President of the Russian Federation. Shortener Service T.LY it was used to make links to malware look plausible.
All malicious files used by the attackers in the framework of the campaign had similar functional features.
After the victim opens the malicious file, the %AppData%\Microsoft\EdgeUpdate folder is created, and then from the Resources resource.MicrosoftEdgeUpdate a file is written to it MicrosoftEdgeUpdate.exe.
To ensure persistence on a compromised system, a task is created in the scheduler using the FunnyCat library built into the executable file.Microsoft.Win32.TaskScheduler.dll. This is a legitimate library that allows you to create tasks in the scheduler without directly executing schtasks. The name, description, and path to the executable file in the task are disguised as a legitimate MicrosoftEdgeUpdateTaskMachineCore task. The created task is executed every 60 minutes after it starts.
The stealer collected the following files:
- Telegram messenger configuration files from %AppData%\Telegram Desktop\tdata;
- databases of passwords, cookies, browser history, popular sites, saved pages, and configurations from the following browsers: Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa, Edge Chromium, Torch, Amigo, CocCoc, Comodo Dragon, Epic Privacy Browser, Elements Browser, CentBrowser, 360 Chrome, 360 Browser;
- files that are PowerShell usage logs and are located in %AppData% \ Microsoft\Windows\PowerShell\PSReadline;
- FileZilla and SSH configuration files.
More indicators of compromise, as well as a detailed description of the tactics, techniques, and procedures of this activity cluster, are available on the company's portal.
