A threat actor going by the name Sticky Werewolf has been associated with targeted attacks primarily aimed at organizations in Russia and Belarus. The primary goal of these attacks is to deliver the Lumma Stealer malware through a previously undocumented implant.
Cybersecurity firm Kaspersky is tracking the activities of this group under the name Angry Likho. According to Kaspersky, Angry Likho bears a strong resemblance to Awaken Likho (also known as Core Werewolf, GamaCopy, and PseudoGamaredon).
Kaspersky notes that the attacks attributed to Angry Likho tend to be highly targeted. The group utilizes a more compact infrastructure and a limited range of implants. Their primary focus is on employees of large organizations, including government agencies and their contractors. The Russian company provided more information about these attacks.
It is suspected that the individuals behind these attacks are native Russian speakers, given the fluent use of Russian in the bait files used to initiate the infection chain. Last month, cybersecurity firm F6 (previously known as F.A.C.C.T.) described them as a “pro-Ukrainian cyberspy group.”
The attackers primarily target organizations in Russia and Belarus, with hundreds of victims identified in the former.
Previous intrusion activities associated with this group have used phishing emails as a means to distribute various malware families, including NetWire, Rhadamanthys, Ozone RAT, and a backdoor known as DarkTrack. The latter is launched via a loader called Ande Loader.
The attack sequence involves the use of spear-phishing emails that contain a malicious attachment (such as an archive file). Within these archives are two Windows shortcut (LNK) files and a legitimate lure document.
The archive files play a crucial role in advancing the malicious activity to the next stage, initiating a complex multi-stage process to deploy the Lumma information stealer.
According to Kaspersky, “This implant was created using the legitimate open-source installer, Nullsoft Scriptable Install System, and functions as a self-extracting archive (SFX).”
The attacks have been observed incorporating steps to evade detection by security vendors. This includes a check for emulators and sandboxed environments, causing the malware to either terminate or resume after a 10,000 ms delay. This technique has also been spotted in Awaken Likho implants.
This overlap raises the possibility that the attackers behind the two campaigns share the same technology or are likely the same group using different tools for different targets and tasks.
The Lumma Stealer is designed to gather system and installed software information from compromised devices, as well as sensitive data such as cookies, usernames, passwords, banking card numbers, and connection logs. Additionally, it can steal data from various web browsers, cryptocurrency wallets, cryptowallet browser extensions (MetaMask), authenticators, and from apps like AnyDesk and KeePass.
As stated by Kaspersky, “The group’s latest attacks use the Lumma stealer, which collects a vast amount of data from infected devices, including browser-stored banking details and cryptowallet files.”
“The group relies on readily available malicious utilities obtained from darknet forums, rather than developing its own tools. The only work they do themselves is writing mechanisms of malware delivery to the victim’s device and crafting targeted phishing emails.”
