Sticky Werewolf – Threat Actor

Overview

Public Organizations in Russia and Belarus: Their early activities focused on public sector entities in these countries, suggesting an interest in geopolitical intelligence or local governmental affairs. Pharmaceutical Companies: They have targeted pharmaceutical firms, potentially aiming to access sensitive research data, proprietary information, or intellectual property related to medical advancements. Research Institutes: Particularly those involved in microbiology and vaccine development. This indicates a focus on scientific and technological advancements, possibly for espionage or competitive advantage. Aerospace Industry: Recent campaigns have targeted organizations in the aerospace sector, including companies involved in the production and maintenance of aircraft and spacecraft. This reflects a strategic interest in aerospace technologies and defense-related information. Defense Sector: Their operations have also extended to defense-related entities, aligning with their broader geopolitical and espionage objectives.

Attack Vectors

Phishing

Credential-based Attacks

How they operate

Phishing Email Execution

The Sticky Werewolf campaign begins with a meticulously crafted phishing email, masquerading as a legitimate business communication. In their latest attack, the email claims to be from the First Deputy General Director of AO OKB Kristall, a Moscow-based aerospace firm. This email entices recipients in the aerospace and defense sectors to engage in a seemingly routine video conference. The attachment, however, is a password-protected archive file that, once extracted, reveals a set of malicious components. The deception lies in the file’s appearance: it includes decoy documents, such as PDFs and LNK files, designed to mislead users into executing harmful payloads.

Malicious Archive and Payload Delivery

Upon extraction, the archive presents multiple files, including LNK files that point to malicious payloads hosted on WebDAV servers. The LNK files are crafted to execute a series of commands when clicked. The first LNK file, disguised as a meeting agenda, initiates a chain of processes designed to establish persistence and obfuscate the attack. It adds a registry entry to ensure the execution of a malicious executable from a network share upon system startup. Simultaneously, it displays a false error message to divert attention while copying decoy files from network shares. The second LNK file, masquerading as a mailing list, executes a command that runs a similar executable but uses different network paths, further complicating detection and analysis. This executable is a variant of the CypherIT crypter, which has been utilized in previous campaigns. It functions as an NSIS self-extracting archive, deploying a series of malicious files into the system’s temporary internet cache directory.

Execution and Obfuscation

The core component of Sticky Werewolf’s malware is a sophisticated batch script executed by the crypter. This script performs several critical functions: it delays execution if certain security processes are detected, changes filenames to evade detection, and concatenates files for further obfuscation. It also executes an AutoIt script that performs anti-analysis checks and establishes persistence. The AutoIt script is designed to bypass security measures and ensure the malware’s survival on the infected system.

Payload Injection and Final Stages

The AutoIt script is equipped with capabilities to handle various evasion techniques, including detecting and counteracting security emulators and replacing critical system files to prevent analysis. It employs RC4 encryption to decrypt the final payload, which is then injected into a legitimate AutoIt process using process hollowing techniques. This payload typically includes commodity RATs or stealers, such as Rhadamanthys Stealer and Ozone RAT, facilitating extensive espionage and data exfiltration.

MITRE Tactics and Techniques

Phishing (T1566) Spear Phishing Attachment (T1566.001) Command-Line Interface (T1059) Obfuscated Files or Information (T1027) Process Injection (T1055) Scheduled Task/Job (T1053) Registry Run Keys / Startup Folder (T1547.001) Persistence (T1543.003) Network Share Discovery (T1135) Data Staged (T1074) Exfiltration Over Command and Control Channel (T1041)

Impact / Significant Attacks

Pharmaceutical Industry Attack: Sticky Werewolf targeted a prominent pharmaceutical company, compromising sensitive research and development data. This attack exemplifies their focus on sectors with valuable intellectual property and potential for significant impact. Russian Research Institute Attack: The group targeted a Russian research institute specializing in microbiology and vaccine development. This attack underscores Sticky Werewolf’s interest in high-profile and high-value targets, particularly those involved in sensitive scientific research. Aviation Industry Campaign: In a recent campaign, Sticky Werewolf targeted the aviation industry with a sophisticated phishing scheme. The attack involved emails disguised as communications from the First Deputy General Director of AO OKB Kristall, aiming to exploit vulnerabilities within the aerospace and defense sector. European Government Entities: Sticky Werewolf has also been linked to attacks on government entities in Europe. These attacks involved targeted phishing campaigns and data exfiltration efforts, reflecting the group’s broader geopolitical motivations and their aim to access sensitive governmental information.

References:

• Howling at the Inbox: Sticky Werewolf’s Latest Malicious Aviation Attacks
• Expanding Cyber Threats: Sticky Werewolf Targets Russia and Belarus