Sapphire Werewolf evolves into Amethyst, a data-stealing malware that leverages legitimate Windows tools and Telegram-based C2 to exfiltrate from over 300 companies. It drops and runs Amethyst, collects browser, Telegram, and SSH-related data, archives it (password-protected), and retrieves C2 addresses via Telegram posts. #SapphireWerewolf #AmethystStealer #SapphireStealer
Keypoints
- The campaign uses a malicious dropper that copies to the folder %AppData%MicrosoftEdgeUpdate and deploys MicrosoftEdgeUpdate.exe from Resources.MicrosoftEdgeUpdate.
- Persistence is established by creating a Windows Task Scheduler task via the embedded FunnyCat.Microsoft.Win32.TaskScheduler.dll, masquerading as MicrosoftEdgeUpdateTaskMachineCore and running every 60 minutes.
- A decoy document is written to the current folder and opened to lure user execution.
- Amethyst stealer is written to VPN.exe in a temporary data folder and executed, followed by self-deletion via a command line.
- The stealer collects a wide range of data (browsers, Telegram data, PowerShell logs, and SSH/FileZilla configs) and stores it in a UUID-named folder before exfiltrating to C2.
- Exfiltration occurs through a Telegram bot C2, with the archive password-protected and notes detailing device IPs, host name, and processorID included in the archive.
MITRE Techniques
- [T1053] Scheduled Task β The attackers create a Windows Task Scheduler task using the embedded library to run the malware every 60 minutes, disguising the task as MicrosoftEdgeUpdateTaskMachineCore. βTo get a foothold in the compromised system, the adversaries create a task in Windows Task Scheduler. For this purpose, they use the library embedded in the executable file, FunnyCat.Microsoft.Win32.TaskScheduler.dll. This legitimate library makes it possible to create a scheduled task without actually running schtasks. The name, description, and path to the executable file in the task are disguised as a legitimate task MicrosoftEdgeUpdateTaskMachineCore. The newly created task is executed every 60 minutes after the initial launch.β
- [T1204.002] User Execution: Malicious File β A decoy document is written into the current folder and then opened. βa decoy document is written into the current folder and then opened.β
- [T1105] Ingress Tool Transfer β The MicrosoftEdgeUpdate.exe enables the download and execution of additional files in the compromised system, including obtaining the C2 server address via a Telegram channel post. βThe MicrosoftEdgeUpdate.exe file enables the download and execution of additional files in the compromised system. Same as Amethyst, the file gets the C2 server address for downloading extra files through a post in the Telegram channel.β
- [T1059.003] Windows Command Shell β The malware uses cmd.exe to perform operations, including deletion commands. βcmd.exe /C choice /C Y /N /D Y /T 3 & Del β[path to the current executable file]’β
- [T1070.004] File Deletion β After execution, the program deletes itself using a command line. βthe following command: cmd.exe /C β¦ Del β[path to the current executable file]’β
- [T1041] Exfiltration Over C2 Channel β Collected data is archived and sent to the C2 server (Telegram bot). βAll these files get compressed into an archive and transmitted to the C2 server.β
- [T1119] Automated Collection β The malware automates data collection (broad set of files from multiple sources) and then exfiltrates. βThe above mentioned files get archived and sent to the C2 server.β
Indicators of Compromise
- [File] MicrosoftEdgeUpdate.exe, VPN.exe β Dropper/executable files involved in the campaign
- [Directory] %AppData%MicrosoftEdgeUpdate β Drop location for the initial payload
- [Directory] %UserProfile%/Downloads/Telegram Desktop β Source of collected Telegram-related files
- [URL] http://checkip.dyndns.org, https://t.me/s/[channel ID] β Used to reveal public IP and obtain C2 server addresses
- [Library] FunnyCat.Microsoft.Win32.TaskScheduler.dll β Used to create scheduled tasks for persistence
Read more: https://bi.zone/eng/expertise/blog/sapphire-werewolf-ottachivaet-izvestnyy-stiler-dlya-novykh-atak/