Sticky Werewolf is back and attacking a pharmaceutical company

Jun 10 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that's casting out the scams and netting you the latest security tips! ๐ŸŽฃ๐ŸŽฃ๐ŸŽฃ

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿบ Sticky Werewolf expands operations to Russia, Belarus ๐ŸŒ

  • ๐Ÿ•ต๏ธ LightSpyโ€™s macOS variant has advanced surveillance ๐Ÿ“ก

  • ๐Ÿ” 7000 LockBit ransomware decryption keys released by FBIย ๐Ÿ‘ฎย 

Itโ€™s a real howler! ๐Ÿบ๐Ÿบ๐Ÿบ

Happy Big Sky GIF by ABC Network

Gif by abcnetwork on Giphy

๐Ÿšจ Sticky Werewolf Strikes Again! ๐Ÿบ

New Targets Unveiled! ๐Ÿญโœˆ๏ธ๐Ÿ’Š Sticky Werewolf is back, now attacking a pharmaceutical company, a Russian microbiology research institute, and the aviation sector. Previously focused on government entities, these hackers have broadened their horizons.

Phishing Tactics! ๐ŸŽฃ๐Ÿ“ง๐Ÿ’ป

  • Method: Phishing emails with malicious links.

  • Payload: LNK files in RAR archives leading to malware stored on WebDAV servers.

  • Outcome: Delivers Remote Access Trojans (RATs) like NetWire.

Complex Infection Chain! ๐Ÿ”—๐Ÿ“๐Ÿฆ 

Opening LNK files from these emails triggers a chain reaction:

  1. Executes a binary hosted on WebDAV.

  2. Runs an obfuscated batch script.

  3. Launches an AutoIt script to inject the final payload, evading security software.

What's Next? ๐Ÿš€๐Ÿ”

Sticky Werewolf uses CypherIT variants to deliver RATs like Rhadamanthys and Ozone.ย Attribution remains unclear, though geopolitical clues hint at potential pro-Ukrainian origins.

Other Wolves on the Prowl! ๐Ÿบ

Sapphire Werewolf: Over 300 attacks on various Russian sectors.

Fluffy Wolf & Mysterious Werewolf: Use spear-phishing to deploy malware like Remote Utilities, XMRig miner, WarZone RAT, and RingSpy backdoor.

Stay vigilant and protect your digital realm! ๐Ÿ›ก๏ธ๐Ÿ”’๐Ÿ’ป

The LightSpy who hacked me ๐Ÿ•ต๏ธ๐Ÿ•ต๏ธ๐Ÿ•ต๏ธ

๐Ÿšจ LightSpy Hits macOS! ๐Ÿ’ป

New Threats Uncovered! ๐Ÿ’ป๐Ÿ“ฑ Cybersecurity researchers have found that LightSpy spyware, initially targeting iOS users, has a macOS variant. This cross-platform malware can infect Android, iOS, Windows, macOS, Linux, and various routers!

Key Findings! ๐Ÿง๐Ÿ”

  • Exploits Used: CVE-2018-4233 and CVE-2018-4404.

  • Targets: macOS version 10, primarily via Safari WebKit flaws.

  • Payloads: Privilege escalation exploit, encryption/decryption utility, and ZIP archives.

How It Works! ๐Ÿ”—๐Ÿ› ๏ธ

  • Rogue HTML: Triggers code execution.

  • Binary as PNG: Delivers malicious code.

  • Shell Script: Fetches additional payloads.

  • Persistence: Sets up with "update" file acting as a loader.

Capabilities! ๐Ÿ›ก๏ธ๐ŸŽค๐Ÿ“ธ

LightSpy's macOS variant uses 10 plugins to:

  • Capture audio and photos

  • Record screen activity

  • Extract and delete files

  • Execute shell commands

  • Harvest browser data and iCloud Keychain info

  • Perform network discovery

In the Wild! ๐ŸŒ๐Ÿ“…

Active since January 2024, LightSpy's macOS variant has affected around 20 devices, mostly test units. Despite limited reach, its sophisticated attack chain poses significant risks.

Geopolitical Impact! ๐ŸŒ๐Ÿ•ต๏ธโ€โ™‚๏ธ

Reports of Pegasus spyware attacks on activists in Latvia, Lithuania, and Poland highlight the ongoing cyber espionage targeting Russian- and Belarusian-speaking journalists since at least 2020.

Stay informed and secure! ๐Ÿ›ก๏ธ๐Ÿ”’๐ŸŒ

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

Theyโ€™re chomping at the LockBit ๐Ÿ”๐Ÿ”๐Ÿ”

๐Ÿšจ FBI Unlocks Decryption Keys for LockBit Victims! ๐Ÿ›ก๏ธ

Big News! ๐Ÿ”“๐Ÿ’ป The FBI has announced they have over 7,000 decryption keys to help victims of the LockBit ransomware recover their data for free! If you think youโ€™ve been affected, visit the FBIโ€™s Internet Crime Complaint Center at

Key Highlights! ๐Ÿ—๏ธ๐Ÿ”

  • LockBitโ€™s Reach: Linked to 2,400 attacks globally, with 1,800 in the U.S.

  • Operation Cronos: Dismantled LockBitโ€™s online infrastructure in February 2024.

  • Key Figure: Dmitry Yuryevich Khoroshev, the alleged administrator, denies involvement but was outed by authorities.

Victim Assistance! ๐Ÿ†˜

FBI Cyber Division Assistant Director Bryan Vorndran encourages victims to reach out. He also warns that paying ransoms doesnโ€™t guarantee data safety, and victims may still face future extortion.

Ransomware Reality! ๐Ÿ“Š๐Ÿ”

  • Recovery Rate: Organisations hit by ransomware recover only 57% of compromised data on average, according to the Veeam Ransomware Trends Report 2024.

  • Emerging Threats: New ransomware players like SenSayQ and CashRansomware are on the rise, refining their tactics.

Evolving Tactics! โš™๏ธ๐Ÿฆ 

LockBit and other ransomware groups are constantly evolving. The TargetCompany ransomware now uses a new Linux variant to target VMWare ESXi systems, exploiting Microsoft SQL servers for initial access.

Stay Vigilant! ๐Ÿšจ

The FBI's efforts are a big step in combating ransomware, but it's crucial for organisations to stay vigilant and prepared. Protect your data, and don't let cybercriminals hold you hostage!

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles