Howling at the Inbox: Sticky Werewolf’s Latest Malicious Aviation Attacks

MITRE Techniques

• [T1566.001] Phishing – The phishing email targets aviation/defense sector and uses deceptive lures. Quote: “The phishing email, purportedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall, targets individuals in the aerospace and defense sector.”
• [T1204.002] User Execution – The initial archive contains LNK and decoy files intended to coax the recipient into executing content. Quote: “The initial archive delivered in the phishing email contains three files designed to deceive the recipient into executing at least one of the malicious email’s contents.”
• [T1059] Command and Scripting Interpreter – The infection chain includes Batch scripts and an AutoIt script used to deliver the final payload. Quote: “The initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy files. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch script, which then launches an AutoIt script that ultimately injects the final payload.”
• [T1105] Ingress Tool Transfer – The payload is hosted on WebDAV servers for download/execution. Quote: “LNK files point to an executable hosted on a WebDAV server.”
• [T1036] Masquerading – LNK files masquerade as DOCX documents to appear legitimate. Quote: “Two LNK Files Masquerading as DOCX Documents.”
• [T1547.001] Registry Run Keys/Startup Folder – Persistence via a registry entry to run a network-shared WINWORD.exe on login. Quote: “Registry Entry for Persistence: Adds a registry entry to run WINWORD.exe from a network share (94.156.8[.]166Microsoft Office Word$WINWORD.exe) on login.”
• [T1053.005] Scheduled Task – Persistence via scheduled task or startup folder. Quote: “Persistence is established via a scheduled task or the startup directory.”)
• [T1140] Deobfuscation/Decode – Payload decrypted with RC4 via shellcodes. Quote: “decrypts it using two shellcodes that perform RC4 decryption.”
• [T1027] Obfuscated/Compressed Files and Information – Decrypted bytes decompressed with RtlDecompressFragment (COMPRESSION_FORMAT_LZNT1). Quote: “The decrypted bytes are decompressed using RtlDecompressFragment with COMPRESSION_FORMAT_LZNT1.”
• [T1055.012] Process Hollowing – Final payload injected via process hollowing into a legitimate AutoIt process. Quote: “The final payload is then injected using a process hollowing into a legitimate AutoIT process.”
• [T1562.001] Impair Defenses – Anti-analysis/anti-emulation checks by the AutoIt script. Quote: “Anti-Analysis and Anti-Emulation: The script checks for artifacts or signs belonging to security vendors’ emulators and environments.”