Tuesday, October 15, 2024
HomeCyber AttackSticky Werewolf Weaponizing LNK Files Group Attacking To Attack Organizations

Sticky Werewolf Weaponizing LNK Files Group Attacking To Attack Organizations

Published on

Malware protection

Sticky Werewolf, a cyber threat group, has shifted its targeting strategy from sending phishing emails with download links to malicious files to using archive attachments containing LNK files, which act as shortcuts to malicious executables hosted on WebDAV servers. 

When a user clicks on the LNK, a batch script is triggered, which in turn launches an AutoIt script designed to deliver the final payload, which bypasses traditional phishing tactics and injects malware directly if the user executes the LNK file. 

Infection Chain

A cyberespionage group, Sticky Werewolf, is targeting the aviation industry with phishing emails disguised as business invitations from a legitimate Russian aerospace company, AO OKB Kristall, where the emails contain an archive attachment with two malicious LNK files masquerading as DOCX documents and a decoy PDF file.

- Advertisement - SIEM as a Service

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Clicking the LNK files triggers a Batch script that launches an AutoIt script to ultimately deliver the final payload, which is a significant shift from Sticky Werewolf’s previous tactics of using links to download malware directly from file-sharing platforms. 

Phishing Email

A phishing email with a decoy PDF attachment targets enterprises related to Russian helicopters, as the PDF mentions a video conference and references two malicious LNK files disguised as meeting documents. 

Clicking the LNK files triggers an NSIS self-extracting archive, a variant of the CypherIT crypter, to download and run a malicious executable from a network share.

The extracted files land in the Internet Explorer temporary files directory, and then a batch script is executed. 

Pdf

Two malicious LNK files, disguised as Word documents, target users, and clicking either LNK triggers a sequence of events, as first, the LNK adds a registry entry to run a compromised WINWORD.exe on login persistently. 

Then, it displays a decoy error message to distract the user. The first LNK copies a potentially deceptive image file, while the second LNK behaves similarly, launching a malicious WINWORD.exe. 

Batch Script

A batch script within the LNK delays execution if specific antivirus processes are running and potentially renames files to evade detection.

Finally, the script combines a legitimate AutoIt executable with a malicious script and executes them. 

Processes monitored by the Batch script and their corresponding security vendors. 

This malicious AutoIT script aims to evade detection, establish persistence, and check for signatures of security environments and debuggers. It injects a clean copy of ntdll.dll to bypass hooking, effectively unhooking any monitoring attempts. 

Persistence is achieved through scheduled tasks or startup directory modifications, where the payload, hidden within the script, is decrypted using a two-stage RC4 process with a user-defined passphrase. 

According to Morphisec, the decrypted and decompressed payload is injected via process hollowing into a legitimate AutoIT process, making it harder to detect.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...