Sticky Werewolf, a cyber-espionage group, attempted to attack Belarusian companies by distributing a CCleaner6.20 installer that drops the Ozone RAT. The campaign featured a large SFX payload (75.79 MB) built with NSIS, hiding obfuscated AutoIt and BAT scripts inside the CCleaner installer, with indicators including specific file hashes, startup items, and malicious URLs. Hashtags: #StickyWerewolf #OzoneRAT #DarktrackRAT #MetaStealer #CCleaner #Gofile #mailru-storage
Keypoints
- Sticky Werewolf is a cyber-espionage group targeting government and financial sectors in Russia and Belarus.
- The campaign used phishing emails with links to malicious files leading to a CCleaner installer luring payloads.
- Researchers observed a large 75.79 MB SFX payload built around an NSIS installer containing an embedded ChemExamples.exe and obfuscated scripts.
- Obfuscated AutoIt-script and obfuscated BAT-file were used to assemble a legitimate AutoIt interpreter and load Ozone RAT in memory.
- The malware injects into the ipconfig.exe process to run the Ozone RAT module in memory.
- Sticky Werewolf has previously used phishing and tools like Darktrack RAT, Ozone RAT, and MetaStealer in campaigns.
- Observed IOCs include specific file names and hashes, startup items, URLs, a domain, and an IP address linked to the campaign.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Link – “phishing emails with links to malicious files” used to lure targets.
- [T1027] Obfuscated/Compressed Files and Information – “obfuscated AutoIt-script and obfuscated BAT-file” used to conceal payload components inside the SFX.
- [T1055] Process Injection – “in memory into the ipconfig.exe process” to load the Ozone RAT module.
- [T1036] Masquerading – “the CCleaner installer” used as lure, disguising the dropper as legitimate software.
- [T1547.001] Boot or Logon Autostart – “Startup folder” persistence via shortcuts and startup items (e.g., ChemExamples.lnk, CheetahGuard.url).
- [T1105] Ingress Tool Transfer – “the malicious link and SFX-archive were downloaded from one source” to fetch the payload.
Indicators of Compromise
- [File name] context – ccleaner_downloads.exe, ChemExamples.exe, Infectious.pif, and 2 more items
- [MD5] context – bf3eafa83b3bdee1f42cc9fb3bd66eb0, d8c6199b414bdf298b6a774e60515ba5
- [SHA-1] context – ca65a505196383e9bd06500e2d80cd2219191969, 3436370107bb02f0966acc2d104ed1edc99a1896
- [SHA-256] context – a015790f512784ec1e552402c60c402d6ff292143ab888811cd8bb70da572860, e50987f5f13de4a552778a691032d9fce3a102bfad3fb5b7edc4c48d2aa3b4f2
- [URL] context – hxxps://mail.ru-storage[.]com/ccleaner_downloads, hxxps://store14.gofile[.]io/download/direct/182fba2c-52a1-45c7-9cea-ecbf1c73f1d0/ccleaner_downloads.exe
- [Domain] context – mail.ru-storage[.]com
- [IP] context – 194.61.121[.]167:1145
Read more: https://habr.com/ru/companies/f_a_c_c_t/news/792672/