Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks
June 7, 2024, 8:08 a.m.
Tags
External References
Description
Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a suspected geopolitical or hacktivist group. While their origin remains unclear, recent techniques suggest espionage and data exfiltration intent. Sticky Werewolf has targeted the aviation industry, employing phishing emails with archive attachments containing LNK files pointing to malicious payloads on WebDAV servers. The infection chain involves executing these LNK files, triggering a process that ultimately injects commodity malware like RATs or stealers to facilitate data theft.
Date
Published: June 7, 2024, 8 a.m.
Created: June 7, 2024, 8 a.m.
Modified: June 7, 2024, 8:08 a.m.
Indicators
d973e7854f10b4d0a1060e55022dceadc51d038cee85d05e2c2c2fd3b40a42be
d6e6c786b793b46a1ee9b18b058e045d0aa1c83aa2b6aa493637f611d654d957
ce2b6d3aad07d3dec2b24f676cc9d2022bab5a086c7e773f9cfa3e7b7dc6d66a
c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0
9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41
3ccbd8bd7424506b26491e5ff5ff55b000adaab1074ccf3b7452d0883f668040
217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab
1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4
05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9
03ee2011ad671b1781015024ea53edfbff92c28c2b123bba02d6a6f462e74105
94.156.8.211
94.156.8.166
79.132.128.47
document-cdn.org
Attack Patterns
NETWIRE - S0198
DarkTrack
Rhadamanthys Stealer
Ozone RAT
MetaStealer
Sticky Werewolf
T1107
T1202
T1497
T1105
T1036
T1027
T1053
T1566
Additional Informations
Aerospace