MimiStick — imitators of Sticky Werewolf

Sept. 27, 2024, 5:12 p.m.

Description

F.A.C.C.T. Threat Intelligence discovered a malicious file targeting Russian defense industry enterprises. Initially thought to be the work of Sticky Werewolf, further analysis revealed a new threat actor named MimiStick. The attack used a PDF lure mimicking a letter from the Russian Ministry of Labor. The malware employed a multi-stage infection chain, ultimately deploying a Sliver implant. Later findings confirmed the campaign was indeed Sticky Werewolf, who had expanded their toolkit to include Sliver implant alongside their existing Quasar RAT. The group registered multiple domains, including one impersonating the Ministry of Labor, likely for future phishing campaigns.

External References

https://habr.com/ru/companies/f_a_c_c_t/news/845766/
https://otx.alienvault.com/pulse/66f6e5caacbbdd830c3f1c8c
Tags
2024-09-27
mimistick

Date

  • Created: Sept. 27, 2024, 5:05 p.m.
  • Published: Sept. 27, 2024, 5:05 p.m.
  • Modified: Sept. 27, 2024, 5:12 p.m.

Indicators

  • ff16334c4cbbfed4bfca23436493397d0465c643cce6cbe41426067bb1ce14ff
  • b262dd5373213c5af573a08b409f8142c7f9f92b19536d7d78b4515d23452321
  • 8d83a598aa61a3f2e61bfdcdfc7b29b4c8d357eb43562d349053defa1ce50d78
  • 65096aa2895025d94b934eb4198ea160e067e8e5c97d9ea252cb2de3870b7b2f
  • 5ad093aa3eaf2bb76003f8f2f9de9b1368640aa320fa8d77df2c773f75186a71
  • 3877f9fd6b21ee735130421dcf997cf000ae66b20a1c6a490f23431b2f95fa90
  • 213.183.54.123
  • techitzone.ru
  • rtxcore.ru
  • orkprank.ru
  • mysafer.ru
  • min-trud-gov.ru
  • about-tech.ru
  • borosan.ru
Download all indicators here!

Attack Patterns

  • Sliver
  • Quasar RAT
  • MimiStick

Additional Informations

  • Defense
  • Government
  • Russian Federation