FACCT Discovers New Attacks by Pro-Ukrainian Cyber ​​Spies Sticky Werewolf

    Tuesday, January 28, 2025 In: Threat Research Print

    Date: 01/28/2025

    Severity: Medium

    Summary

    "FACCT Discovers New Attacks by Pro-Ukrainian Cyber Spies Sticky Werewolf" details how the cyber espionage group Sticky Werewolf targeted Russian research and production enterprises after the New Year holidays. The group, known for attacking government and military-industrial sectors, sent phishing emails disguised as communications from the Russian Ministry of Industry and Trade. One such email was intercepted by the FACCT Managed XDR solution on January 13. Sticky Werewolf commonly uses malicious attachments, including remote access trojans like Darktrack RAT and Ozone RAT, as well as information stealers such as Glory Stealer and MetaStealer.

    Indicators of Compromise (IOC) List

    URL/Domain

    bitbucket.org/5w457/ed512/downloads/emnfpac.txt

    https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612

    https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg

    IP Address

    45.155.249.126

    84.22.195.72

    Hash

    969977a682bac07eb1f9196041077d3c332b2b37 

0919987e12e51e55824959323ed23a9d3387fbad

74f6f78bd8f1cc30e911350b60fe9b4eaf69e21c

4c92e612f006838f10b50a9aa102c4430f9b8495

d558d8501286b0b322a06a2e2f21fc6c03d45316

861118c8a32157349c1d3dc76e774c027c05433c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg" or url like "https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg" or userdomainname like "https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612" or url like "https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612" or userdomainname like "bitbucket.org/5w457/ed512/downloads/emnfpac.txt" or url like "bitbucket.org/5w457/ed512/downloads/emnfpac.txt"

    Detection Query 2

    dstipaddress IN ("45.155.249.126","84.22.195.72") or ipaddress IN ("45.155.249.126","84.22.195.72") or publicipaddress IN ("45.155.249.126","84.22.195.72") or srcipaddress IN ("45.155.249.126","84.22.195.72")

    Detection Query 3

    sha1hash IN ("74f6f78bd8f1cc30e911350b60fe9b4eaf69e21c","4c92e612f006838f10b50a9aa102c4430f9b8495","969977a682bac07eb1f9196041077d3c332b2b37","d558d8501286b0b322a06a2e2f21fc6c03d45316","0919987e12e51e55824959323ed23a9d3387fbad","861118c8a32157349c1d3dc76e774c027c05433c")

    Reference: 

    https://habr.com/ru/companies/f_a_c_c_t/news/873762/


    Tags

    CyberEspionageRussiaPhishingGovernment Services and FacilitiesDefense Industrial Base

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.