Sticky Werewolf cyber spies attack Polish organizations / Habr

Sticky Werewolf cyber spies attack Polish organizations / Habr

Pro-Ukrainian group Sticky Werewolf, which specializes in cyberespionage, seems to have gone on tour: after a recent attack on companies in Belarus, attackers also targeted organizations in Poland. In the new Sticky Werewolf attack, experts from the Threat Intelligence department of FACCT found that a modified version of the remote access trojan was used Darktrack RAT.

Initial attack vector

On February 12 of this year at 15:28:33 UTC, a link (URL) was uploaded to VirusTotal on a web interface from Poland (Trzebnica):


By the way, the share-files domain[.]pl has a Polish first-level domain – “.pl”.

Attackers from the Sticky Werewolf group are known to use phishing emails containing a link to download a malicious executable as an initial penetration vector. As part of the analysis of this attack, only the hxxps://share-files link was available to Threat Intelligence experts[.]pl/Wezwanie_swiadka.pdf, which should be in the body of such a phishing email.

When going to the link hxxps://share-files[.]pl/Wezwanie_swiadka.pdf is being redirected to another resource hxxps://store10[.]gofile[.]io/download/direct/a54ae153-8cea-479f-b9fe-1994a349216c/Wezwanie_swiadka.pdf.exe and the Wezwanie_swiadka.pdf.exe executable is downloaded.

Malware download window

The user must run the downloaded file for the compromise to occur.

SFX archive and payload

The Wezwanie_swiadka.pdf.exe file is a self-extracting (SFX) archive prepared by the NSIS Installer. Wezwanie_swiadka.pdf.exe contains the Wezwanie_swiadka.pdf decoy file and the executable MicroWord.exe file.

The contents of the decoy file Wezwanie_swiadka.pdf

It is worth noting that attackers could download a decoy file to use in the attack on the link hxxps://edu[.]cba[.]gov[.]pl/DU_CBA/2008/2/22/Zalacznik46.pdf (bait file matched by hash sum).

The screenshot below shows a fragment of the NSIS script of the SFX archive Wezwanie_swiadka.pdf.exe.

A fragment of the NSIS script of the SFX archive

After the specified SFX archive is launched by the user:

  • creating and running the %TEMP%\MicroWord.exe file;

  • creating and opening a decoy file %TEMP%\Wezwanie_swiadka.pdf;

  • creating a %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.lnk shortcut that will run %TEMP%\FlashUpdate.exe after system restart.

It is worth noting that the attackers could have made mistakes in the NSIS script, because the shortcut file FlashUpdate.lnk refers to the nonexistent FlashUpdate.exe file.


The payload is a MicroWord.exe file protected by a protector Themida and modified version Darktrack RAT – Remote Access Trojan (RAT) developed on Delphi.

This malware interacts with the control server 46[.]246[.]97[.]61:7412 creates a mutex with the unique name E4B6tMOXArC4kQ36 and also creates a log file klog.dat to record intercepted user input from the keyboard.

We will remind that Sticky Werewolf is a cyberespionage group that attacks state institutions and financial companies in Russia and Belarus. As an initial attack vector Sticky Werewolf uses phishing emails with links to malicious files and tools such as remote access trojans Darktrack RAT and Ozone RATstylers Glory Stealer and MetaStealer (RedLine Stealer variation).

In December 2023 Sticky Werewolf attacked a Russian farm twice through mail, under the guise of the Ministry of Emergency Situations and the Ministry of Construction, and in January 2024, a Russian organization attacked with fake letters, allegedly on behalf of the FSB.

Indicators of compromise

MD5: d7ff05311350b4990ccd642a44679d1d
SHA-1: 4aabffec8b6be99324f8d589e73ed0f433054118
SHA-256: 9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7

MD5: 542678c60cf6de9e6ca876e102b233e6
SHA-1: 3bf367ed7b05042eb268c87240690b4cdacabbe0
SHA-256: 9a03cfe1174b0921a10ffd389c6c152b0c0a2c9dd53195d55a9fd1f75d81b702

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.lnk




IP address:

Related posts