Pierluigi Paganini June 10, 2024

Morphisec researchers observed a threat actor, tracked as Sticky Werewolf, targeting entities in Russia and Belarus.

Sticky Werewolf is a threat actor that was first spotted in April 2023, initially targeting public organizations in Russia and Belarus. The group has expanded its operations to various sectors, including a pharmaceutical company and a Russian research institute specializing in microbiology and vaccine development.

In their latest campaign, Sticky Werewolf targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Kristall, a Moscow-based company involved in aircraft and spacecraft production and maintenance. Previously, the group used phishing emails with links to malicious files. In the latest campaign, the threat actor used archive files containing LNK files that pointed to a payload stored on WebDAV servers.

After executing the binary hosted on a WebDAV server, an obfuscated Windows batch script is launched. The script runs an AutoIt script that ultimately injects the final payload.

“In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io. However, in their latest campaign, the infection method has changed.” reads the analysis published by Morphisec. “The initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy files. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch script, which then launches an AutoIt script that ultimately injects the final payload.”

The archive includes a decoy PDF File and two LNK Files Masquerading as DOCX Documents named Повестка совещания.docx.lnk (Meeting agenda) and Список рассылки.docx.lnk (Mailing list) respectively. 

The threat actor used phishing messages allegedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall. The recipients are individuals from the aerospace and defense sector who are invited to a video conference on future cooperation. The messages use a password-protected archive containing a malicious payload.

The payloads employed by the threat actors include commodity RATs or stealers. Recently, Sticky Werewolf was spotted using Rhadamanthys Stealer and Ozone RAT in their campaigns. In previous attacks the group also deployed MetaStealer, DarkTrack, and NetWire.

“These malwares enable extensive espionage and data exfiltration. While there is no definitive evidence of Sticky Werewolf’s national origin, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, though this attribution remains uncertain.” concludes the report that also includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, malware)