Sticky Werewolf Hack Group Targets Government Organizations in Russia and Belarus

Researchers have warned that a previously unknown group called Sticky Werewolf is gaining access to the systems of government organizations in Russia and Belarus through phishing emails containing links to malicious files. A distinctive feature of this group is its use of fairly common, commercial malware tools that are relatively easy to detect and block.

According to experts at Bi.Zone, the group has been active since at least April 2023 and has carried out at least 30 attacks to date.

Phishing Tactics and Tools

To generate malicious links, the hackers use the IP Logger service, which not only creates phishing links but also collects information about victims who click on them. For example, attackers could obtain data such as the time of the click, IP address, country, city, browser version, and operating system.

This information allowed the hackers to immediately perform basic profiling of potentially compromised systems and select the most valuable ones, ignoring those related to sandboxes, research activities, or countries outside the group’s interests.

The service also enabled the attackers to use their own domain names, making phishing links appear highly legitimate to victims. For example: hXXps://diskonline[.]net/poryadok-deystviy-i-opoveshcheniya-grazhdanskoy-oborony.pdf.

The phishing links led to malicious files with .exe or .scr extensions, disguised as Microsoft Word or PDF documents. When such a file was opened, a legitimate document of the corresponding format was displayed, while the NetWire RAT malware was installed in the background.

For Russian organizations, the decoy documents included, for example, an emergency warning from the Russian Ministry of Emergency Situations or a lawsuit notice.

Fake Warning Used in Attacks

For attacks on Belarusian organizations, the decoy document was an order to eliminate violations of legislation.

Fake Document for Belarusian Organizations

Persistence and Malware Capabilities

To maintain persistence on a compromised system, a shortcut was created in the startup folder pointing to the malware sample. For example: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uTorrent.lnk. To obfuscate NetWire, the hackers used the Themida protector, making detection and analysis of the malware more difficult.

NetWire allowed attackers to collect information about the compromised system and perform the following actions:

• Manage files, processes, services, windows, installed applications, and network connections
• Edit the Windows registry
• Modify and retrieve clipboard data
• Capture keystrokes
• Record video from the screen, webcam, and audio from the microphone in real time
• Remotely execute commands via the Windows command line
• Obtain authentication data from various sources
• Upload and execute files
• Read and edit the C:\Windows\System32\drivers\etc\hosts file
• Get lists of network folders and devices on the local network
• Perform network scanning

Researchers note that in March 2023, a person who had been selling NetWire as legitimate software for several years was arrested in Croatia. The server and domain name used to distribute the malware were confiscated.

“Commercial malware provides attackers with extensive capabilities at a moderate price. That’s why it is in high demand among cybercriminals and foreign pro-government groups. Notably, such programs continue to be actively used even after their developers are arrested,” commented Oleg Skulkin, head of cyber intelligence.