Automated scripts help hackers bypass security systems.
Researchers in the field of cybersecurity from the company Morphisec revealed details of the malicious activity of the Sticky Werewolf group ("Sticky Werewolf"), related to cyber attacks on enterprises in Russia and Belarus.
Previously identified attacks targeted an unnamed pharmaceutical company and the Russian Research Institute of Microbiology and Vaccine Development. Now the Russian aviation sector has taken the brunt.
"In previous Sticky Werewolf campaigns, the infection chain started with phishing emails containing a link to download a malicious file from platforms such as gofile.io" This is the first time that we've seen this, " said security researcher Arnold Osipov. "The last campaign used archive files with LNK files leading to the payload stored on WebDAV servers."
Sticky Werewolf is one of many groups targeting Russia and Belarus, along with Cloud Werewolf, Quartz Wolf, Red Wolf, and Scaly Wolf. The group was first documented by BI.ZONE researchers in October 2023. Sticky Werewolf is believed to have been active since at least April 2023.
A new chain of attacks observed by Morphisec involves the use of RAR archive attachments, which, when extracted, contain two LNK files and a distracting PDF document.
The letter itself is written on behalf of OKB Kristall JSC, a real existing Russian company specializing in the development and production of microelectronic components and systems used in various branches of Russian industry.
Recipients of the email were asked to download the archive and run LNK files in it to receive the agenda of the "upcoming video conference". Opening any of the LNK files launches an executable file hosted on the WebDAV server, which leads to the execution of an obfuscated Windows script.
This script then runs an AutoIt script that eventually injects the final payload, while bypassing security software and avoiding analysis attempts.
"This executable file is a self-extracting NSIS archive, which is part of the previously known cryptor CypherIT," Osipov said. "Although the original CypherIT is no longer for sale, the current executable is a variation of it, distributed on several hacker forums at once."
The goal of this campaign is to deliver Remote access Trojans (rats) and information thieves, such as Rhadamanthys and Ozone RAT, to devices in target companies, thereby compromising enterprises in critical industries.
The Sticky Werewolf's sophisticated attempts to attack the Russian aviation industry are a clear signal of the need to strengthen the cybersecurity of critical infrastructure. Hacker groups are constantly improving their methods, so timely implementation of retaliatory protective measures is a priority.
Researchers in the field of cybersecurity from the company Morphisec revealed details of the malicious activity of the Sticky Werewolf group ("Sticky Werewolf"), related to cyber attacks on enterprises in Russia and Belarus.
Previously identified attacks targeted an unnamed pharmaceutical company and the Russian Research Institute of Microbiology and Vaccine Development. Now the Russian aviation sector has taken the brunt.
"In previous Sticky Werewolf campaigns, the infection chain started with phishing emails containing a link to download a malicious file from platforms such as gofile.io" This is the first time that we've seen this, " said security researcher Arnold Osipov. "The last campaign used archive files with LNK files leading to the payload stored on WebDAV servers."
Sticky Werewolf is one of many groups targeting Russia and Belarus, along with Cloud Werewolf, Quartz Wolf, Red Wolf, and Scaly Wolf. The group was first documented by BI.ZONE researchers in October 2023. Sticky Werewolf is believed to have been active since at least April 2023.
A new chain of attacks observed by Morphisec involves the use of RAR archive attachments, which, when extracted, contain two LNK files and a distracting PDF document.
The letter itself is written on behalf of OKB Kristall JSC, a real existing Russian company specializing in the development and production of microelectronic components and systems used in various branches of Russian industry.
Recipients of the email were asked to download the archive and run LNK files in it to receive the agenda of the "upcoming video conference". Opening any of the LNK files launches an executable file hosted on the WebDAV server, which leads to the execution of an obfuscated Windows script.
This script then runs an AutoIt script that eventually injects the final payload, while bypassing security software and avoiding analysis attempts.
"This executable file is a self-extracting NSIS archive, which is part of the previously known cryptor CypherIT," Osipov said. "Although the original CypherIT is no longer for sale, the current executable is a variation of it, distributed on several hacker forums at once."
The goal of this campaign is to deliver Remote access Trojans (rats) and information thieves, such as Rhadamanthys and Ozone RAT, to devices in target companies, thereby compromising enterprises in critical industries.
The Sticky Werewolf's sophisticated attempts to attack the Russian aviation industry are a clear signal of the need to strengthen the cybersecurity of critical infrastructure. Hacker groups are constantly improving their methods, so timely implementation of retaliatory protective measures is a priority.
