Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a group suspected to have geopolitical and/or hacktivist ties. While the group’s geographical origin and home base remain unclear, recent attack techniques suggest espionage and data exfiltration intent.
Sticky Werewolf is a cyber threat group first detected in April 2023; early activities primarily targeted public organizations in Russia and Belarus. The group’s operations have since extended to several sectors, targeting a pharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and more.
In their most recent campaign, Sticky Werewolf have targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Kristall (a Moscow-based company involved in the production and maintenance of aircraft and spacecraft). In previous campaigns the group used phishing emails with links to malicious files. This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers.
In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io. However, in their latest campaign, the infection method has changed.
The initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy files. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch script, which then launches an AutoIt script that ultimately injects the final payload.
The phishing email, purportedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall, targets individuals in the aerospace and defense sector.
The email invites recipients to a video conference on future cooperation, providing a password-protected archive that containing a malicious payload, and aims to deceive recipients into opening the harmful attachment under the lure of a legitimate business invitation.
The initial archive delivered in the phishing email contains three files designed to deceive the recipient into executing at least one of the malicious email’s contents.
The archive includes:
The PDF file, included as a decoy in the phishing archive, is an invitation to a video conference organized by AO "OKB Kristall" with key enterprises of the "Russian Helicopters" holding. The conference aims to discuss "Issues of prospective cooperation 2024-2025."
The PDF also references the two malicious LNK files as attachments, increasing the likelihood of the recipient opening them.
Once the victim clicks the LNK files, the following actions will be triggered:
Executes the command which performs multiple actions:
1. Registry Entry for Persistence: Adds a registry entry to run WINWORD.exe from a network share (\\94.156.8[.]166\Microsoft Office Word$\WINWORD.exe) on login.
2. Decoy Message: Displays a message in Russian indicating a document opening error, claiming the file is corrupted.
Executes the command \\document-cdn[.]org\Microsoft Office Word$\WINWORD.exe, which will launch the same executable as in the first LNK file, this time with the domain name resolved by the above IP (at the time of writing).
Once the victim clicks the LNK file, the executable from the network share begins running. This executable is an NSIS self-extracting archive which is part of a previously known crypter named CypherIT.
This crypter has been used for several years to deliver malicious payloads in various campaigns by multiple threat actors. While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in couple of hacking forums.
The NSIS archive extracts its files into the $INTERNET_CACHE directory, which corresponds to %LocalAppData%\Microsoft\Windows\INetCache, and is typically used for Internet Explorer's temporary files. After extraction, the installer runs one of the files, an obfuscated batch script.
This batch script performs several operations:
|
Process Name |
Vendor |
|
avastui.exe |
AVG Antivirus |
|
avgui.exe |
AVG Antivirus |
|
nswscsvc.exe |
Norton Security |
|
opssvc.exe | sophoshealth.exe |
Sophos Endpoint Protection |
|
wrsa.exe |
Webroot |
Table: Processes monitored by the Batch script and their corresponding security vendors.
The executed AutoIT script has various capabilities such as anti-analysis, anti-emulation, persistence, and unhooking. Its main goal is to inject the payload and establish persistence while evading security solutions and analysis attempts.
The script checks for artifacts or signs belonging to security vendors' emulators and environments:
|
Artifact-Type |
Value |
Vendor |
|
Computer Name |
tz |
BitDefender Emulator |
|
Computer Name |
NfZtFbPfH |
Kaspersky Emulator |
|
Computer Name |
ELICZ |
AVG Emulator |
|
Username |
test22 |
|
|
Process name |
avastui.exe |
AVG Antivirus |
|
File Name |
C:\aaa_TouchMeNot_.txt |
Windows Defender Emulator |
|
Process Name |
bdagent.exe |
Bitdefender |
|
Process Name |
avp.exe |
Kaspersky |
The script then overrides ntdll.dll by mapping a clean copy from the disk and replacing the .text section of the one loaded — a known technique to remove hooking.
Persistence is established via a scheduled task or the startup directory.
Before injecting the payload, it decrypts it using two shellcodes that perform RC4 decryption.
The decrypted bytes are decompressed using RtlDecompressFragment with COMPRESSION_FORMAT_LZNT1. The final payload is then injected using a process hollowing into a legitimate AutoIT process.
The injected payloads typically include commodity RATs or stealers. Recently, Sticky Werewolf has utilized Rhadamanthys Stealer and Ozone RAT in their campaigns. Previously, the group deployed MetaStealer, DarkTrack, NetWire, among others. These malwares facilitate extensive espionage and data exfiltration.
While there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, but this attribution remains uncertain.
Morphisec's Automated Moving Target Defense (AMTD) effectively stops attacks, which typically include commodity RATs or stealers, (like those used by the Sticky Werewolf group) at various stages of the attack chain.
Morphisec doesn’t rely on signature or behavioral patterns. Instead, it uses its patented AMTD technology to prevent the attack at its earliest stages, preemptively blocking attacks on memory and applications, and effectively remediating the need for response.
Schedule a demo today to see how Morphisec stops Sticky Werewolf and other new emerging threats.