'Sticky Werewolf' APT Stalks Aviation Sector

The pro-Ukranian group has upgraded its infection chain, with credentials, strategic info on commercial pilots, or billion-dollar designs as the possible prizes.

3 Min Read
Werewolf scene 3D illustration
Source: mark Turner via Alamy Stock Photo

A threat actor is using layered infection chains to compromise organizations involved with Russia's aviation industry.

The advanced persistent threat (APT) known as "Sticky Werewolf" has been around since at least April 2023, and it seems to be interested in espionage relating to the conflict between Russia and Ukraine. Early reporting indicated that the group was targeting public organizations in Russia and Belarus, but recent targets have included a pharmaceutical company and a Russian research institute involved in microbiology and vaccine development.

Most recently, in targeted attacks earlier this spring, it appeared that the group had turned its attention to aerospace and defense, as noted in a blog post earlier this week from Morphisec. Its infection methods have been upgraded in turn, now involving a long chain of files and scripts at the end of which lay common remote access malware.

"The attractiveness of aerospace to cybercriminals and nation-state actors is multifold," says Claude Mandy, chief evangelist at Symmetry Systems. "In a conflict, private aircraft and pilots can be both strategic assets and targets, as well as potential intel sources when drafted into military use. Then there's the intellectual property goldmine and the need to protect it for commercial reasons."

Werewolf vs. Airplanes

In prior campaigns, Sticky Werewolf phishing emails included links to download malicious files. Now, its infections are notably more complex.

Its latest emails purport to come from the first deputy general director of AO OKB Kristall, a Moscow-based aircraft and spacecraft company. An attached archive file opens a PDF document, alluding to an upcoming video conference on "issues of long-term cooperation" for the coming year. The "director" asks recipients to participate, and provide personal information including names, positions, and email addresses.

The PDF is a complement to two LNK files also included in that archive. Masquerading as a distribution list and meeting agenda, these files present the user with a fake error message while simultaneously creating a Windows registry entry to establish persistence, then downloading an executable from a WebDAV server.

The executable is a variant of the well-worn and largely defunct CypherIT cryptor. This file drops a batch script which, among other things, manipulates files, looks out for security software — Norton, Sophos, AVG, and Webroot — and drops an AutoIT executable. The AutoIT script's job involves anti-analysis and anti-emulation, further establishing persistence on the machine, and dropping the final payload.

The final payload will be some sort of commercial remote access Trojan (RAT), like the Rhadamanthys Stealer or Ozone RAT. Older Sticky Werewolf campaigns utilized MetaStealer, DarkTrack, and NetWire. Any of these will facilitate espionage and data exfiltration, and the nature of Sticky Werewolf's activities to that end suggest that it operates in support of Ukrainian interests.

"Attackers like this can steal credentials, strategic info on commercial pilots being drafted in military surface, or billion-dollar designs," Mandy explains. "These attacks indicate just how simple a successful social engineering attack can be. Tailored phishing emails will eventually trick someone into installing a remote access Trojan."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights