Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks

June 7, 2024, 8:08 a.m.

Description

Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a suspected geopolitical or hacktivist group. While their origin remains unclear, recent techniques suggest espionage and data exfiltration intent. Sticky Werewolf has targeted the aviation industry, employing phishing emails with archive attachments containing LNK files pointing to malicious payloads on WebDAV servers. The infection chain involves executing these LNK files, triggering a process that ultimately injects commodity malware like RATs or stealers to facilitate data theft.

External References

https://blog.morphisec.com/sticky-werewolfs-aviation-attacks
https://otx.alienvault.com/pulse/6662be22853428096ab3ab0d
Tags
phishing
rhadamanthys stealer
2024-06-07
netwire
rats
webdav
metastealer
ozone rat
lnks
aviation
darktrack

Date

  • Created: June 7, 2024, 8 a.m.
  • Published: June 7, 2024, 8 a.m.
  • Modified: June 7, 2024, 8:08 a.m.

Indicators

  • d973e7854f10b4d0a1060e55022dceadc51d038cee85d05e2c2c2fd3b40a42be
  • d6e6c786b793b46a1ee9b18b058e045d0aa1c83aa2b6aa493637f611d654d957
  • ce2b6d3aad07d3dec2b24f676cc9d2022bab5a086c7e773f9cfa3e7b7dc6d66a
  • c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0
  • 9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41
  • 3ccbd8bd7424506b26491e5ff5ff55b000adaab1074ccf3b7452d0883f668040
  • 217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab
  • 1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4
  • 05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9
  • 03ee2011ad671b1781015024ea53edfbff92c28c2b123bba02d6a6f462e74105
  • 94.156.8.211
  • 94.156.8.166
  • 79.132.128.47
  • document-cdn.org
Download all indicators here!

Attack Patterns

  • NETWIRE - S0198
  • DarkTrack
  • Rhadamanthys Stealer
  • Ozone RAT
  • MetaStealer
  • Sticky Werewolf

Additional Informations

  • Aerospace