Malefactors are once again terrorizing Russian companies.
The cybercriminal group Werewolves has become active again after a long lull. According to the F. A. C. C. T. Cybersecurity Center, attackers attacked Russian manufacturing, energy, and exploration companies using the spring draft theme and various claims to send malicious files.
At the end of March, the company F. A. C. C. T. discovered phishing emails on behalf of transport companies and a Lipetsk restaurant with the topics "Claim" and"Request".
In the new mailings, hackers sent malicious messages .doc and .xls files under the guise of legal claims, demands, and acts. The infected documents contained loaders of the Cobalt Strike Beacon, a component of the well-known Cobalt Strike tool. Attached to the emails were files called: "complaint.doc", "reconciliation report.xls" and "questionnaire.xls".
Analysts noted the use of spoofing techniques by attackers-spoofing the sender's address to create the appearance that the email came from a legitimate source. Werewolves in this campaign, as a rule, did not create their own emails, but sent them from potentially hacked accounts.
In one of the letters, the sender's address was a non-existent mailbox of the military commissariat of the Nizhny Novgorod region. Under the cover of the topic of military training, hackers demanded to provide the data of current employees, attaching a sample of the infected "questionnaire".
Werewolves specializes in extortion and differs from other groups in that they clearly indicate the possibility of attacks on CIS countries. Attackers use tools such as Cobalt Strike, AnyDesk, and Netscan to develop their attacks. The malicious instance of the cryptographer itself was based on the LockBit code.
A special feature of the group is the presence of its own DLS site, which, unlike most similar resources, was not located on the Tor network. Although not all successful attacks are published on their site, the requirements for data decryption range from $130,000 to $1,000,000, with the possibility of paid deletion or temporary data hiding. In November 2023, the attackers changed the domain for their DLS site, but it was still not located in Tor.
The cybercriminal group Werewolves has become active again after a long lull. According to the F. A. C. C. T. Cybersecurity Center, attackers attacked Russian manufacturing, energy, and exploration companies using the spring draft theme and various claims to send malicious files.
At the end of March, the company F. A. C. C. T. discovered phishing emails on behalf of transport companies and a Lipetsk restaurant with the topics "Claim" and"Request".
In the new mailings, hackers sent malicious messages .doc and .xls files under the guise of legal claims, demands, and acts. The infected documents contained loaders of the Cobalt Strike Beacon, a component of the well-known Cobalt Strike tool. Attached to the emails were files called: "complaint.doc", "reconciliation report.xls" and "questionnaire.xls".
Analysts noted the use of spoofing techniques by attackers-spoofing the sender's address to create the appearance that the email came from a legitimate source. Werewolves in this campaign, as a rule, did not create their own emails, but sent them from potentially hacked accounts.
In one of the letters, the sender's address was a non-existent mailbox of the military commissariat of the Nizhny Novgorod region. Under the cover of the topic of military training, hackers demanded to provide the data of current employees, attaching a sample of the infected "questionnaire".
Werewolves specializes in extortion and differs from other groups in that they clearly indicate the possibility of attacks on CIS countries. Attackers use tools such as Cobalt Strike, AnyDesk, and Netscan to develop their attacks. The malicious instance of the cryptographer itself was based on the LockBit code.
A special feature of the group is the presence of its own DLS site, which, unlike most similar resources, was not located on the Tor network. Although not all successful attacks are published on their site, the requirements for data decryption range from $130,000 to $1,000,000, with the possibility of paid deletion or temporary data hiding. In November 2023, the attackers changed the domain for their DLS site, but it was still not located in Tor.
