Sticky Werewolf Weaponizing LNK Files Group Attacking To Attack Organizations

Sticky Werewolf, a cyber threat group, has shifted its targeting strategy from sending phishing emails with download links to malicious files to using archive attachments containing LNK files, which act as shortcuts to malicious executables hosted on WebDAV servers. 

When a user clicks on the LNK, a batch script is triggered, which in turn launches an AutoIt script designed to deliver the final payload, which bypasses traditional phishing tactics and injects malware directly if the user executes the LNK file. 

A cyberespionage group, Sticky Werewolf, is targeting the aviation industry with phishing emails disguised as business invitations from a legitimate Russian aerospace company, AO OKB Kristall, where the emails contain an archive attachment with two malicious LNK files masquerading as DOCX documents and a decoy PDF file.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Clicking the LNK files triggers a Batch script that launches an AutoIt script to ultimately deliver the final payload, which is a significant shift from Sticky Werewolf’s previous tactics of using links to download malware directly from file-sharing platforms. 

A phishing email with a decoy PDF attachment targets enterprises related to Russian helicopters, as the PDF mentions a video conference and references two malicious LNK files disguised as meeting documents. 

Clicking the LNK files triggers an NSIS self-extracting archive, a variant of the CypherIT crypter, to download and run a malicious executable from a network share.

The extracted files land in the Internet Explorer temporary files directory, and then a batch script is executed. 

Two malicious LNK files, disguised as Word documents, target users, and clicking either LNK triggers a sequence of events, as first, the LNK adds a registry entry to run a compromised WINWORD.exe on login persistently. 

Then, it displays a decoy error message to distract the user. The first LNK copies a potentially deceptive image file, while the second LNK behaves similarly, launching a malicious WINWORD.exe. 

A batch script within the LNK delays execution if specific antivirus processes are running and potentially renames files to evade detection.

Finally, the script combines a legitimate AutoIt executable with a malicious script and executes them. 

This malicious AutoIT script aims to evade detection, establish persistence, and check for signatures of security environments and debuggers. It injects a clean copy of ntdll.dll to bypass hooking, effectively unhooking any monitoring attempts. 

Persistence is achieved through scheduled tasks or startup directory modifications, where the payload, hidden within the script, is decrypted using a two-stage RC4 process with a user-defined passphrase. 

According to Morphisec, the decrypted and decompressed payload is injected via process hollowing into a legitimate AutoIT process, making it harder to detect.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo