Sapphire Werewolf refines Amethyst stealer to attack energy companies

Description

The Sapphire Werewolf cluster has upgraded its toolkit with a new version of the Amethyst stealer, targeting energy companies through phishing emails. The enhanced malware features advanced checks for virtualized environments and uses Triple DES for string encryption. The attack involves distributing a malicious attachment disguised as an official memo, which contains a C#-based loader protected with .NET Reactor. The Amethyst stealer collects extensive system data, credentials from various applications, and documents from compromised systems. The threat actor's sophisticated approach includes improved evasion techniques and data exfiltration methods, posing a significant risk to targeted organizations.