BI.ZONE warned about the activity of hacker Sapphire Werewolf, who has been conducting cyber attacks against Russian organizations since the beginning of March 2024. The attackers initiated more than 300 attacks aimed at stealing data in the fields of education, IT, defense-industrial complex, and aerospace industry.
To penetrate corporate networks, the hackers sent phishing letters to victims with links created using the T.LYA Service. These links led to malicious files disguised as pseudo-unique documents. When opened on infected computers, a malicious program for data theft was installed.
To enhance the attack’s credibility, the hackers also opened distracting legitimate documents, such as resolutions, CEC leaflets, or the President of the Russian Federation’s decrees. The T.LY Service was used to provide references to make the links appear trustworthy.
All malware used in the campaign had similar functional features. After the victim opened the malicious file, the appdata % Microsoft Edgeupdate folder was created, and the Microsoftedgeupdate.exe file was recorded from the resource.microsoftedgeupdate resource.
To ensure persistence in the compromised system, a task was created in the planner using Funnycat.microsoft.win32.taskscheduler.dll. This legitimate library allows creating tasks in the planner without direct execution of Schtasks. The task, masked as MicrosoftedgeupdateSkinecore, runs every 60 minutes after initiation.
The stolen data included files for the Telegram messenger configuration, password databases, cookies, browser histories, and configurations from various browsers. Additional files such as PowerShell magazines, Filezilla configuration files, and ssh files were also collected.
More compromising indicators and detailed descriptions of the tactics, techniques, and procedures used in this cyber attack are available on the BI.ZONE Companies portal.