Amethyst Stealer Targets Energy Firms
A new report from BI.ZONE Threat Intelligence reveals that the threat actor Sapphire Werewolf is actively refining its tools, with a focus on the updated Amethyst stealer malware. The latest campaigns employing this malware have been specifically targeting energy companies, raising concerns about potential disruptions and data breaches in this critical sector.
The report highlights a key trend: βThe adversaries are improving their own tools to get around security solutions more effectively.β This is evident in the updated Amethyst stealer, which incorporates several enhancements designed to evade detection and increase its effectiveness.
One significant update is the inclusion of βadvanced checks for virtualized environments.β This allows the malware to better identify and potentially evade analysis within sandboxes and virtual machines, a common tactic used by security researchers to study malware behavior.
Furthermore, the updated Amethyst stealer employs the Triple DES algorithm for string encryption. While .NET loaders often encrypt the entire code, Sapphire Werewolfβs approach is more granular: βTriple DES covers almost every single string that comprises an argument of the functions called by the malware.β This makes it more challenging for security analysts to quickly understand the malwareβs functionality by examining plain text strings within the code.
The attack chain typically begins with a phishing email. Sapphire Werewolf disguises a malicious attachment as an official memo, sent under the guise of an HR representative. The report provides an example of such an email, showing a message with a subject line in Russian and an attachment named βΠ‘Π»ΡΠΆΠ΅Π±Π½Π°Ρ Π·Π°ΠΏΠΈΡΠΊΠ°.rarβ.
This archive contains an executable file, often with a deceptive PDF icon, that serves as a .NET loader. This loader then decodes and executes a Base64-encoded payload, which is the Amethyst stealer itself.
The Amethyst stealer is designed to steal various types of sensitive information from compromised systems. This includes:
Credentials from browsers, messaging apps (like Telegram), and other software (like FileZilla and VPN clients).Configuration files from remote desktop and VPN connections.Various documents, including those stored on removable media.By stealing credentials, the attackers can gain access to a wide range of systems and sensitive data.
In conclusion, the BI.ZONE Threat Intelligence report reveals that Sapphire Werewolf is actively developing and deploying the Amethyst stealer with enhanced capabilities. The targeting of energy companies underscores the potential for significant damage. Organizations in this sector, and others, must remain vigilant against these evolving threats.
