Tuesday, June 25, 2024

Sticky Werewolf Weaponizing LNK Files Group Attacking To Attack Organizations

Sticky Werewolf, a cyber threat group, has shifted its targeting strategy from sending phishing emails with download links to malicious files to using archive attachments containing LNK files, which act as shortcuts to malicious executables hosted on WebDAV servers. 

When a user clicks on the LNK, a batch script is triggered, which in turn launches an AutoIt script designed to deliver the final payload, which bypasses traditional phishing tactics and injects malware directly if the user executes the LNK file. 

Infection Chain

A cyberespionage group, Sticky Werewolf, is targeting the aviation industry with phishing emails disguised as business invitations from a legitimate Russian aerospace company, AO OKB Kristall, where the emails contain an archive attachment with two malicious LNK files masquerading as DOCX documents and a decoy PDF file.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Clicking the LNK files triggers a Batch script that launches an AutoIt script to ultimately deliver the final payload, which is a significant shift from Sticky Werewolf’s previous tactics of using links to download malware directly from file-sharing platforms. 

Phishing Email

A phishing email with a decoy PDF attachment targets enterprises related to Russian helicopters, as the PDF mentions a video conference and references two malicious LNK files disguised as meeting documents. 

Clicking the LNK files triggers an NSIS self-extracting archive, a variant of the CypherIT crypter, to download and run a malicious executable from a network share.

The extracted files land in the Internet Explorer temporary files directory, and then a batch script is executed. 


Two malicious LNK files, disguised as Word documents, target users, and clicking either LNK triggers a sequence of events, as first, the LNK adds a registry entry to run a compromised WINWORD.exe on login persistently. 

Then, it displays a decoy error message to distract the user. The first LNK copies a potentially deceptive image file, while the second LNK behaves similarly, launching a malicious WINWORD.exe. 

Batch Script

A batch script within the LNK delays execution if specific antivirus processes are running and potentially renames files to evade detection.

Finally, the script combines a legitimate AutoIt executable with a malicious script and executes them. 

Processes monitored by the Batch script and their corresponding security vendors. 

This malicious AutoIT script aims to evade detection, establish persistence, and check for signatures of security environments and debuggers. It injects a clean copy of ntdll.dll to bypass hooking, effectively unhooking any monitoring attempts. 

Persistence is achieved through scheduled tasks or startup directory modifications, where the payload, hidden within the script, is decrypted using a two-stage RC4 process with a user-defined passphrase. 

According to Morphisec, the decrypted and decompressed payload is injected via process hollowing into a legitimate AutoIT process, making it harder to detect.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles