Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks

Posted by Arnold Osipov on June 6, 2024
Find me on:

Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a group suspected to have geopolitical and/or hacktivist ties. While the group’s geographical origin and home base remain unclear, recent attack techniques suggest espionage and data exfiltration intent.  

Morphisec_Werewolf_1200x628_v.1.41-ezgif.com-png-to-webp-converter-1

Introduction

Sticky Werewolf is a cyber threat group first detected in April 2023; early activities primarily targeted public organizations in Russia and Belarus. The group’s operations have since extended to several sectors, targeting a pharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and more.  

In their most recent campaign, Sticky Werewolf have targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Kristall (a Moscow-based company involved in the production and maintenance of aircraft and spacecraft). In previous campaigns the group used phishing emails with links to malicious files. This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers. 

 

Infection Chain 

In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io. However, in their latest campaign, the infection method has changed.  

The initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy files. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch script, which then launches an AutoIt script that ultimately injects the final payload. 

Attack chain diagram of Sticky Werewolf attacks

Technical Analysis

Phishing Email

The phishing email, purportedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall, targets individuals in the aerospace and defense sector.  

The email invites recipients to a video conference on future cooperation, providing a password-protected archive that containing a malicious payload, and aims to deceive recipients into opening the harmful attachment under the lure of a legitimate business invitation. 

Typical Sticky Werewolf Phising Email

Email Attachment 

The initial archive delivered in the phishing email contains three files designed to deceive the recipient into executing at least one of the malicious email’s contents.  

The archive includes: 

  • A Decoy PDF File: This file serves as a distraction, providing seemingly legitimate content to reduce suspicion while the LNK files execute the malicious payload. 
  • Two LNK Files Masquerading as DOCX Documents:
    • Повестка совещания.docx.lnk (Meeting agenda): This file is intended to appear as a legitimate document outlining the meeting agenda. 
    • Список рассылки.docx.lnk (Mailing list): This file is disguised as a document containing the distribution list for the meeting. 

PDF

The PDF file, included as a decoy in the phishing archive, is an invitation to a video conference organized by AO "OKB Kristall" with key enterprises of the "Russian Helicopters" holding. The conference aims to discuss "Issues of prospective cooperation 2024-2025." 

The PDF also references the two malicious LNK files as attachments, increasing the likelihood of the recipient opening them. 

  • Meeting agenda (Повестка совещания.docx.lnk) 
  • Mailing list (Список рассылки.docx.lnk) 
PDF sent by Sticky Werewolf in phishing email

 

LNKs 

Once the victim clicks the LNK files, the following actions will be triggered: 

First LNK - Повестка совещания.docx.lnk (Meeting agenda) 

Executes the command which performs multiple actions: 

Command line code run after clicking LNK within the .PDF

 

1. Registry Entry for Persistence: Adds a registry entry to run WINWORD.exe from a network share (\\94.156.8[.]166\Microsoft Office Word$\WINWORD.exe) on login.

 
2. Decoy Message: Displays a message in Russian indicating a document opening error, claiming the file is corrupted.

Fake "message from John" generated by the LNK file.

3. Copies image.jpg from another network share (\\79.132.128[.]47\image.jpg) to the local root directory. The file was unavailable at the time of research and is suspected to be used as a decoy. 

Second LNK - Список рассылки.docx.lnk (Mailing List) 

Executes the command \\document-cdn[.]org\Microsoft Office Word$\WINWORD.exe, which will launch the same executable as in the first LNK file, this time with the domain name resolved by the above IP (at the time of writing). 

 

CypherIT Loader / Crypter 

Once the victim clicks the LNK file, the executable from the network share begins running. This executable is an NSIS self-extracting archive which is part of a previously known crypter named CypherIT.  

This crypter has been used for several years to deliver malicious payloads in various campaigns by multiple threat actors. While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in couple of hacking forums. 

The NSIS archive extracts its files into the $INTERNET_CACHE directory, which corresponds to %LocalAppData%\Microsoft\Windows\INetCache, and is typically used for Internet Explorer's temporary files. After extraction, the installer runs one of the files, an obfuscated batch script. 

 

Batch Script 

sticky-werewolf5-ezgif.com-png-to-webp-converter

This batch script performs several operations: 

  • Delay Execution: If wrsa.exe or opssvc.exe processes are running, the script delays execution by running ping -n 193 127.0.0.1. 
  • Change Filenames: If any of the following processes are present: avastui.exe, avgui.exe, nswscsvc.exe, sophoshealth.exe, the script changes the filenames for the next stage AutoIt executable and script file extension. 
  • File Concatenation: Concatenates multiple files into two files: 
    • A legitimate AutoIt executable. 
    • A compiled AutoIt script. 
  • Execute AutoIt: Runs the AutoIt executable, passing the compiled script as an argument. 

Process Name 

Vendor 

avastui.exe 

AVG Antivirus 

avgui.exe 

AVG Antivirus 

nswscsvc.exe 

Norton Security 

opssvc.exe | sophoshealth.exe 

Sophos Endpoint Protection 

wrsa.exe 

Webroot 

Table: Processes monitored by the Batch script and their corresponding security vendors. 

AutoIT Script 

The executed AutoIT script has various capabilities such as anti-analysis, anti-emulation, persistence, and unhooking. Its main goal is to inject the payload and establish persistence while evading security solutions and analysis attempts. 

Anti-Analysis and Anti-Emulation 

The script checks for artifacts or signs belonging to security vendors' emulators and environments: 

Call functions used by Sticky Werewolf

Artifact-Type 

Value 

Vendor 

Computer Name 

tz 

BitDefender Emulator 

Computer Name 

NfZtFbPfH 

Kaspersky Emulator 

Computer Name 

ELICZ 

AVG Emulator 

Username 

test22 

 

Process name 

avastui.exe 

AVG Antivirus 

File Name 

C:\aaa_TouchMeNot_.txt 

Windows Defender Emulator 

Process Name 

bdagent.exe 

Bitdefender 

Process Name 

avp.exe 

Kaspersky 

 

The script then overrides ntdll.dll by mapping a clean copy from the disk and replacing the .text section of the one loaded — a known technique to remove hooking. 

Persistence 

Persistence is established via a scheduled task or the startup directory. 

Decryption and Injection 

Before injecting the payload, it decrypts it using two shellcodes that perform RC4 decryption. 

  1. The first shellcode performs the key scheduling algorithm using the provided passphrase. 
  2. The second shellcode implements the PRGA of the RC4 stream cipher. 

sticky-werewolf (7)

The decrypted bytes are decompressed using RtlDecompressFragment with COMPRESSION_FORMAT_LZNT1. The final payload is then injected using a process hollowing into a legitimate AutoIT process. 

 

Conclusion 

The injected payloads typically include commodity RATs or stealers. Recently, Sticky Werewolf has utilized Rhadamanthys Stealer and Ozone RAT in their campaigns. Previously, the group deployed MetaStealer, DarkTrack, NetWire, among others. These malwares facilitate extensive espionage and data exfiltration. 

While there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, but this attribution remains uncertain. 

 

How Morphisec Helps 

Morphisec's Automated Moving Target Defense (AMTD) effectively stops attacks, which typically include commodity RATs or stealers, (like those used by the Sticky Werewolf group) at various stages of the attack chain.  

Morphisec doesn’t rely on signature or behavioral patterns. Instead, it uses its patented AMTD technology to prevent the attack at its earliest stages, preemptively blocking attacks on memory and applications, and effectively remediating the need for response.  

Schedule a demo today to see how Morphisec stops Sticky Werewolf and other new emerging threats.   

New call-to-action

IOCs 

EXE 

  • 05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9 
  • 03ee2011ad671b1781015024ea53edfbff92c28c2b123bba02d6a6f462e74105 
  • 1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4 

LNK 

  • c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0 
  • ce2b6d3aad07d3dec2b24f676cc9d2022bab5a086c7e773f9cfa3e7b7dc6d66a 

Decoy 

  • 9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41 
  • 217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab 
  • 3ccbd8bd7424506b26491e5ff5ff55b000adaab1074ccf3b7452d0883f668040 
  • d6e6c786b793b46a1ee9b18b058e045d0aa1c83aa2b6aa493637f611d654d957 
  • d973e7854f10b4d0a1060e55022dceadc51d038cee85d05e2c2c2fd3b40a42be 

C2 

  • 79.132.128[.]47 
  • 94.156.8[.]166 
  • document-cdn[.]org 
  • 94.156.8[.]211