The Sapphire Werewolf threat group has escalated its attack tactics by integrating the Amethyst stealer into their arsenal, posing severe risks to the energy sector.
The latest iteration of the Amethyst stealer incorporates sophisticated anti-virtualization techniques and advanced encryption, enabling its operators to bypass security defenses more effectively.
By exploiting stolen credentials, the adversaries gain unauthorized access to sensitive information systems, compromising critical data and infrastructure.
In a phishing campaign attributed to Sapphire Werewolf, attackers disguised malicious executables as official HR memos.
Victims were sent a phishing email containing an archive named “Служебная записка.rar” (translated as “Official Memo”).
This archive housed a .NET-based executable file, “Служебная записка.exe,” camouflaged with a fake PDF icon.
The executable served as a loader for the Amethyst stealer, protected by .NET Reactor.
Upon execution, it decoded a Base64-encoded PE payload in memory using the Assembly.Load() and Invoke() methods to avoid detection.
Enhanced Capabilities of the Amethyst Stealer
The updated Amethyst stealer demonstrates significant advancements in its code obfuscation and execution techniques.
By leveraging the Triple DES encryption algorithm, the malware secures nearly all strings used as function arguments, making static analysis increasingly challenging.
Once deployed, the stealer performs extensive system reconnaissance, including collecting data via Windows Management Instrumentation (WMI).
It also carries out an array of virtualization detection methods, such as checking for VirtualBox file descriptors, VMware Tools registry keys, and spoofing hardware details, ensuring the malware evades sandbox testing.
Additionally, the Amethyst stealer retrieves sensitive credentials from widely used applications, including Telegram, web browsers like Chrome and Brave, remote desktop clients, and VPN configuration files.
It targets file repositories on both local and removable media, packaging the collected data into archives for exfiltration.
Notably, exfiltration occurs via web services, with evidence showing the use of Telegram bots and communication with external domains such as wondrous-bluejay-lively.ngrok-free[.]app.
Indicators of Compromise and Tactical Analysis
The campaign has been linked to various domains and tools, including checkip.dyndns[.]org for IP verification and canarytokens[.]com for callback traffic.
The malware also relies on decoy PDF documents to obscure its malicious intent during execution. The User-Agent string starting with “Brussel” has been identified as a campaign identifier.
From a tactical perspective, Sapphire Werewolf employs multiple MITRE ATT&CK techniques to ensure the success of its operations.
These include phishing emails for initial access, obfuscated code and software packing for defense evasion, system and network discovery for reconnaissance, and Windows command execution for persistence.
By creating scheduled tasks in compromised systems, the malware ensures long-term footholds while deleting files post-execution to remove evidence of compromise.
According to the Report, Organizations are advised to deploy robust detection rules to identify suspicious activities, such as executables originating from unconventional directories, unusual scheduled task creations, or unauthorized access to sensitive files.
BI.ZONE has provided several detection rules, including win_creation_task_that_run_file_from_suspicious_folder and win_possible_browser_stealer_activity, to assist security teams in monitoring potential threats.
Furthermore, it is critical to educate employees on identifying phishing campaigns and ensure endpoint detection and response (EDR) tools are updated to detect obfuscated payloads, encrypted strings, and suspicious memory loading behaviors.
Organizations should also monitor traffic to known malicious domains and web services, preventing unauthorized data exfiltration.
As threat actors continue to refine their tools and techniques, the combination of Sapphire Werewolf and Amethyst stealer highlights the importance of proactive cybersecurity measures to safeguard critical infrastructure from sophisticated attacks.
