“Sticky Werewolf”, and advanced persistent threat (APT) group has been observed attacking organizations associated with Russian aviation and medical research industries. The group has been operating since about the middle of 2023 and espionage, research suggests, is the primary motive of the group. Given the targets involved the group appears to have eastern European origins and operates from a pro-Ukraine stance.
Earlier in the group’s attack campaigns they favored phishing emails containing links for malicious downloads however, their attacks have become more complex. Recently the group is spoofing emails from the first deputy general director of AO OKB Kristall, A Russian-based aviation company.
The emails contain an archive that opens a PDF file that is masked to appear as legitimate Windows files. The file creation is consistent with the tool IP Logger, which the links generated with the tool collect information about the users that clicked them. Information gathered contained IP addresses, timestamps, geo-locations, and some system-level statistics. This allowed the group to build a victim profile early in the attack chain.
The behavior of the downloaded malware suggests the NetWire RAT or a variant is being used for command and control (C2) operations. NetWire allows the adversary to manage files, services, network connections, edit the registry, keylogging, execute commands via command.exe, and more.
I will post a collection of IOCs on my Github project.
Stay safe and don’t go out in the full moon!