'Sticky Werewolf' APT Stalks Aviation Sector

A threat actor is using layered infection chains to compromise organizations involved with Russia's aviation industry.

The advanced persistent threat (APT) known as "Sticky Werewolf" has been around since at least April 2023, and it seems to be interested in espionage relating to the conflict between Russia and Ukraine. Early reporting indicated that the group was targeting public organizations in Russia and Belarus, but recent targets have included a pharmaceutical company and a Russian research institute involved in microbiology and vaccine development.

Most recently, in targeted attacks earlier this spring, it appeared that the group had turned its attention to aerospace and defense, as noted in a blog post earlier this week from Morphisec. Its infection methods have been upgraded in turn, now involving a long chain of files and scripts at the end of which lay common remote access malware.

"The attractiveness of aerospace to cybercriminals and nation-state actors is multifold," says Claude Mandy, chief evangelist at Symmetry Systems. "In a conflict, private aircraft and pilots can be both strategic assets and targets, as well as potential intel sources when drafted into military use. Then there's the intellectual property goldmine and the need to protect it for commercial reasons."

Werewolf vs. Airplanes

In prior campaigns, Sticky Werewolf phishing emails included links to download malicious files. Now, its infections are notably more complex.

Its latest emails purport to come from the first deputy general director of AO OKB Kristall, a Moscow-based aircraft and spacecraft company. An attached archive file opens a PDF document, alluding to an upcoming video conference on "issues of long-term cooperation" for the coming year. The "director" asks recipients to participate, and provide personal information including names, positions, and email addresses.

The PDF is a complement to two LNK files also included in that archive. Masquerading as a distribution list and meeting agenda, these files present the user with a fake error message while simultaneously creating a Windows registry entry to establish persistence, then downloading an executable from a WebDAV server.

The executable is a variant of the well-worn and largely defunct CypherIT cryptor. This file drops a batch script which, among other things, manipulates files, looks out for security software — Norton, Sophos, AVG, and Webroot — and drops an AutoIT executable. The AutoIT script's job involves anti-analysis and anti-emulation, further establishing persistence on the machine, and dropping the final payload.

The final payload will be some sort of commercial remote access Trojan (RAT), like the Rhadamanthys Stealer or Ozone RAT. Older Sticky Werewolf campaigns utilized MetaStealer, DarkTrack, and NetWire. Any of these will facilitate espionage and data exfiltration, and the nature of Sticky Werewolf's activities to that end suggest that it operates in support of Ukrainian interests.

"Attackers like this can steal credentials, strategic info on commercial pilots being drafted in military surface, or billion-dollar designs," Mandy explains. "These attacks indicate just how simple a successful social engineering attack can be. Tailored phishing emails will eventually trick someone into installing a remote access Trojan."