A threat actor suspected of having geopolitical and/or hacktivist motivations has been linked to cyber campaigns targeting public organizations in Russia and Belarus since at least April 2023.
The group, tracked as “Sticky Werewolf,” has since broadened its operations to include various sectors, including a pharmaceutical company, a Russian microbiology and vaccine development research institute. While the exact geographical origin and base of operations for Sticky Werewolf remain unknown, evidence indicates its focus on espionage and data exfiltration. The geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists.
Sticky Werewolf’s most recent operation, detailed by Morphisec Labs, has been targeting aviation industry in Russia and Belarus. The group has been sending emails purportedly from the First Deputy General Director of AO OKB Kristall, a Moscow-based company involved in aircraft and spacecraft production and maintenance.
While previous campaigns utilized phishing emails with malicious file links, Morphisec noted, the latest tactics involve archive files with LNK files that lead to a payload on WebDAV servers.
The infection chain begins with an initial phishing email containing an archive attachment. When extracted, the archive reveals LNK and decoy files. The LNK files point to an executable hosted on a WebDAV server. Execution of these files triggers a batch script that launches an AutoIt script, culminating in the injection of the final payload.
The archive contains three files: a decoy PDF file and two LNK files disguised as DOCX documents. Clicking on these LNK files leads to the execution of an NSIS self-extracting archive from the network share. This executable is linked to CypherIT, a crypter previously observed in various campaigns by multiple threat actors used for delivering malicious payloads. Although the original CypherIT crypter is no longer available, its variant is available on hacking forums.
Upon extraction, the installer runs an obfuscated batch script. This script performs several operations, including running an AutoIt executable with capabilities such as anti-analysis, anti-emulation, persistence, and unhooking. Its primary objective is to inject the payload and establish persistence while evading security measures and analysis attempts.
“The injected payloads typically include commodity RATs or stealers. Recently, Sticky Werewolf has utilized Rhadamanthys Stealer and Ozone RAT in their campaigns. Previously, the group deployed MetaStealer, DarkTrack, NetWire, among others. These malwares facilitate extensive espionage and data exfiltration,” Morphisec wrote in the report.