Actor threats known as Sticky werewolf He was associated with targeted attacks, first of all in Russia and Belarus to deliver malicious software for theft of Lumma with the help of a previously undocumented implant.
Cyber security company Kaspersky monitors activity under the name of Angry Likho, which, she said, has a “strong similarity” to Arouse (AKA Core Werewolf, Gamacopy and Pseudogamaredon).
“However, Angry Likho attacks are usually oriented with more compact infrastructure, limited implant spectrum and focus on employees of large organizations, including state institutions and their contractors,” Russian company – Note.
It is suspected that the threat subjects are probably native to Russian speakers, given the use of free Russian in the bait files used to launch a chain of infection. Last month Cybersecurity Company (previously Fact) described This is like a “pro-Ukrainian cyber group”.
It was found that the attackers mainly nominate organizations in Russia and Belarus, with hundreds of victims found in the former.
Preliminary use activity Group -related use phishing -leaves as a pipe Ande Loader.
The sequence of the attack includes the use of fisheries containing attachment with a bothered bot (such as archival files) that have two Shortcut Windows (LNK) files and a legitimate bait document.
The archive files are responsible for promoting the malicious activity to the next stage, unleashing a complex multi -stage process to deploy Lumma’s theft.
“This implant was created using an open source installer, NullSoft installation systems, and function as an independent export archive (SFX),” Kaspersky said.
The attacks were observed, including the stages to evade security suppliers using the emulator and the environment with sandboxes, causing malicious software either to stop or recovered after a delay of 10,000 ms, the technique also noticed in the implants of Awaken Likho.
This overlap caused the possibility that the attackers standing behind both companies share the same technology, either probably the same group using another set of tools for different purposes and tasks.
Lumma Steeler is designed to collect the system and installed information about the impaired devices, as well as sensitive data such as chicks, users, passwords, bank card numbers and compound magazines. It is also capable of stealing data from different web browsers, cryptocurrency wallets, cryptowallet browser extensions, authentifers, and Anydesk and Keepass applications.
“The latest group attacks use the theft of Lumma, which collects a huge amount of data from infected devices, including bank details supported by the browser and Cryptowallet files,” Kaspersky said.
“The group relies on the easily available malicious utilities obtained on Darknet forums rather than developing their own tools. The only job they do is writing malicious program delivery mechanisms on the victim’s device and the creation of targeted phishing sheets.
