Analysis of the new Sticky Werewolf cyber spy attack using Rhadamanthys Stealer

On April 5, 2024, a malicious link from a cyber espionage group was uploaded to the VirusTotal platform Sticky Werewolf. The attention of analysts was then drawn to a new payload for the group – the attackers used Rhadamanthys Stealer, a modular architecture styler written in C++ and available for sale in September 2022. Russian experts wrote about this in a small Telegram postfocusing primarily on the autoit script.

In this article Boris MartynyukAnalyst, Advanced Threat Research Group, Threat Intelligence Department, FACCT and Dmitry Kupinhead of the malware analysis department at FACCT Threat Intelligence, decided to pay a little more attention to the new tool and use the example of another cyber spy attack Sticky Werewolf tell me what so remarkable Rhadamanthys Stealer. But first, a short digression about the group itself.

Sticky Werewolf is a pro-Ukrainian cyber espionage group that primarily attacks government agencies and financial companies. According to FACCT Threat Intelligence experts, in the first quarter of 2024, Sticky Werewolf carried out 21 cyber attacks in Russia, Belarus and Poland. The group's initial attack vector is phishing emails with links to malicious files, as well as tools such as the Darktrack RAT and Ozone RAT remote access Trojans, Glory Stealer and MetaStealer (a variation of RedLine Stealer). A new tool in their arsenal is the Rhadamanthys Stealer.

April 10, 2024 to the platform VirusTotal a malicious group link was loaded Sticky Werewolf. During the study, analysts received additional network and file indicators, and were also able to almost completely restore the attack chain. The initial infection vector could have been targeted phishing emails similar to the group’s past attacks. When you follow the link, you are redirected to another resource from which an executable file is downloaded that mimics PDF using a double extension.

Initial vector of infection

Although the method of initial access to target systems is not known with certainty, analysts believe that Sticky Werewolf used phishing emails with links to malicious files for this purpose. Previously, the service was used to generate links IP Logger. It allowed attackers to collect information about the transition time, IP address, country, city, browser version and operating system of the victim. In this way, the team could select targets of interest to them, filtering out researcher transitions and sandbox checks.

After collecting data about the user, they are redirected to a legitimate service. gofile.io, which the group consistently uses to store its malicious files. This is the link that was uploaded to the platform VirusTotal. When clicking on it, the user is prompted to download the file priglashenie_na_sovet.pdf.exe.

Downloadable executable priglashenie_na_sovet.pdf.exe is a self-extracting archive (SFX) prepared in NSIS Installer. It contains a decoy file Priglashenie_na_Sovet.pdf and executable file NervousGrammar.exe.

Killchain

The overall chain of attack is as follows: after downloading and running the executable file, another archive is launched containing an obfuscated BAT script named Grave and 10 files. This script assembles a legitimate AutoIt interpreter and an AutoIt script from them, and then runs the assembled script using the assembled interpreter. The payload is then injected into the Recognition.pif process − Rhadamanthys Stealer (main module), responsible for deploying various Rhadamanthys modules in memory, as well as introducing its code into the dialer.exe process, downloading the stealer module from the C2 server and launching it in the memory of the dialer.exe process. A more detailed description is contained in the section Attack Analysisand killchain is shown in the diagram below.

Attack Analysis

SFX archive

As we noted above, the executable file priglashenie_na_sovet.pdf.exe is a self-extracting archive (SFX) prepared in NSIS Installer. This SFX archive contains the following NSIS script:

After launch predlozhenie-putevki-zdorovaya-natciya.docx.exe by the user:

1. creating the file %TEMP%\NervousGrammar.exe;

2. creating the file %TEMP%\Priglashenie_na_Sovet.pdf;

3. launching the file %TEMP%\Priglashenie_na_Sovet.pdf – a decoy document;

4. launching the file %TEMP%\NervousGrammar.exe.

NervousGrammar.exe

NervousGrammar.exe is a self-extracting archive (SFX). NervousGrammar.exe protected by Themida protector with the option to detect file launching in a virtual environment.

NervousGrammar.exe contains files: Grave, Eng, Haiti, Florida, Oxygen, Green, Nights, Mw, Tier, Fi, Personality. After launch NervousGrammar.exe the command is executed:

cmd.exe /c move Grave Grave.bat && Grave.bat

File Grave (Grave.bat) is an obfuscated Batch file. The figure below shows the deobfuscated code of the file Grave.bat.

Functionality Grave.bat:

• search for antivirus protection processes “wrsa.exe“, “opssvc.exe“. If the specified processes have been detected, execute the command: “ping -n 193 127[.]0[.]0[.]1”;

• search for antivirus protection processes: “avastui.exe”, “avgui.exe”, “nswscsvc.exe”, “sophoshealth.exe”. If the specified processes were detected, execute the command: “Set mXnIdbWnKpGggSaNvmY=AutoIt3.exe & Set zPIKbblUBYjAYWUPbLqAvejLFKRXFQNG=.au3”;

• creates a directory with a random name;

• creates a file Recognition.pifconsisting of the files \Recognition.pif and Eng, Haiti, Florida, Oxygen, Personality in the created directory;

• creates a file consisting of files Nights, Mw, Tier, Fiin the created directory;

• Launches Recognition.pif (AutoIt3.exe) with the argument of the file created above D (D.au3);

• executes the command: “ping -n 5 127[.]0[.]0[.]1″.

As a result of the launch NervousGrammar.exe files are created:

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Grave (Grave.bat)

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Eng

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Haiti

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Florida

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Oxygen

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Personality

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Nights

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Tier

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Fi

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Mw

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\D

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Recognition.pif (for example: %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\2522\Recognition.pif)

Then the payload is injected into the Recognition.pif process – Rhadamanthys Stealer (main module), responsible for deploying various Rhadamanthys modules in memory, as well as introducing its code into the dialer.exe process, downloading the stealer module from the C2 server and launching it in the memory of the dialer.exe process.

Payload

Payload Rhadamanthys Stealer (main module) is responsible for unfolding various Rhadamanthys modules in memory, as well as loading the stealer module. The main module receives the stealer component at the following network address: hxxps://94[.]156[.]8[.]211:2096/255d808fda21a5/00v7tdtm.gtsv5.

Rhadamanthys Stealer is a stealer with a modular architecture, written in C++ and put up for sale in September 2022. It collects system information, steals browsing history, bookmarks, cookies, autofill, login credentials from various browsers. The theft targets various cryptocurrency wallets and cryptocurrency wallet browser extensions. The stealer also targets various applications such as FTP clients, email clients, file managers, password managers, VPN services, messaging applications and others. Detailed analysis of this stealer conducted by researchers from Check Point.

Analyzed Rhadamanthys Stealer has C2: 94.156.8[.]211:443. Mutex: MSCTF.Asm. {%.

List of software targeted by the analyzed Rhadamanthys Stealer:

• Web browsers: Chrome, Firefox, Internet Explorer, Brave-Browser, 360Browser, CocCoc browser, Pale Moon browser, Opera, Sleipnir5 browser, K-Meleon.

• Messengers: Telegram, Discord, Tox, Pidgin, Psi+.

• FTP clients: FileZilla, CoreFtp, CuteFTP, WinSCP2, SmartFTP, FtpNavigator, FlashFXP, FTPRush.

• VPN clients: OpenVPN, ProtonVPN, AzireVPN, Windscribe.

• Mail programs: TrulyMail, TheBat, Foxmail, CheckMail.

• File managers: Total Commander.

• Crypto wallets: DashCore, Exodus, ElectronCash, Electrum-LTC, Electrum, TronLink extension, DeFi Blockchain, Litecoin, ElectrumSV, MyMonero, Binance Wallet, Binance Extension Wallet, BitcoinCore, Coinomi, Defichain-Electrum, Electron-Cash, Frame, Jaxx, Monero , Monero-Core, MyCrypto, Qtum-Electrum, Qtum, Solar Wallet, TokenPocket, WalletWasabi.

• Password managers: KeePass, RoboForm, WinAuth.

• Notes apps: Notezilla, Microsoft StickyNotes, SimplU Sticky Notes.

• Other: Steam, TeamViewer, PuTTY, Zap, GmailNotifierPro.

Network infrastructure

Sticky Werewolf used server 94[.]156[.]8[.]211 to work with Rhadamanthys Stealer. We noticed the following self-signed SSL certificate on port 2096 (used to load the stealer component).

Using a graph analysis of the group’s network infrastructure, another similar certificate was discovered on port 19000 on the server under investigation. The infrastructure used by the attacker in this attack is shown in the screenshot below.

MITER AT&CK

Indicators of compromise

File indicators

Network indicators

• hxxps://store1.gofile[.]io/download/direct/d737e793-3e29-4f51-b85f-1f25f11794e9/priglashenie_na_sovet.pdf.exe

• hxxps://94.156.8[.]211:2096/255d808fda21a5/00v7tdtm.gtsv5

• IP address: 94.156.8[.]211:443

Paths

• %TEMP%\NervousGrammar.exe (Themida packed)

• %TEMP%\Priglashenie_na_Sovet.pdf

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Recognition.pif

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\D

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Grave (Grave.bat)

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Nights

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Mw

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Tier

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Fi

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Eng

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Haiti

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Florida

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Oxygen

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Personality

Processes

• PING.EXE -n 5 127[.]0[.]0[.]1

• cmd.exe /c move Grave Grave.bat && Grave.bat

• %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Recognition.pif” \Recognition.pif \D ( for example: %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\2522\Recognition.pif 2522\D)

• cmd.exe /c copy /b Nights + Mw + Tier + Fi \D (for example: cmd.exe /c copy /b Nights + Mw + Tier + Fi 2522\D)

• cmd.exe /c copy /b \Recognition.pif + Eng + Haiti + Florida + Oxygen + Personality \Recognition.pif (for example: cmd.exe /c copy /b 2522\Recognition.pif + Eng + Haiti + Florida + Oxygen + Personality 2522\Recognition.pif)

• findstr.exe /I “avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe”

• findstr.exe /V “stylusofwilsonbritney” Reproduced

• findstr.exe /I “wrsa.exe opssvc.exe”

Mutex