Description
F.A.C.C.T. Threat Intelligence discovered a malicious file targeting Russian defense industry enterprises. Initially thought to be the work of Sticky Werewolf, further analysis revealed a new threat actor named MimiStick. The attack used a PDF lure mimicking a letter from the Russian Ministry of Labor. The malware employed a multi-stage infection chain, ultimately deploying a Sliver implant. Later findings confirmed the campaign was indeed Sticky Werewolf, who had expanded their toolkit to include Sliver implant alongside their existing Quasar RAT. The group registered multiple domains, including one impersonating the Ministry of Labor, likely for future phishing campaigns.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 27, 2024, 5:05 p.m. | Sept. 27, 2024, 5:05 p.m. | Sept. 27, 2024, 5:12 p.m. |
Indicators
ff16334c4cbbfed4bfca23436493397d0465c643cce6cbe41426067bb1ce14ff
b262dd5373213c5af573a08b409f8142c7f9f92b19536d7d78b4515d23452321
8d83a598aa61a3f2e61bfdcdfc7b29b4c8d357eb43562d349053defa1ce50d78
65096aa2895025d94b934eb4198ea160e067e8e5c97d9ea252cb2de3870b7b2f
5ad093aa3eaf2bb76003f8f2f9de9b1368640aa320fa8d77df2c773f75186a71
3877f9fd6b21ee735130421dcf997cf000ae66b20a1c6a490f23431b2f95fa90
213.183.54.123
Attack Patterns
Sliver
Quasar RAT
MimiStick
T1102.003
T1588.001
T1553.002
T1573.002
T1059.003
T1071.001
T1036.005
T1204.002
T1140
T1027
Additional Informations
Defense
Government
Russian Federation