Infection Chain and Initial Access
A new phishing campaign targets Russian aerospace and aviation organizations by disguising malicious attachments as invoices. The attack begins with an email containing a password-protected archive, a technique that allows the payload to bypass standard email security scanners. Once the victim opens the archive using the password provided in the email body, an installer drops files into a hidden folder and displays a decoy PDF to maintain the appearance of a legitimate document. The infection chain then contacts a remote server to download a second archive containing a portable version of AnyDesk, along with utilities for command-line email sending, file compression, and a tool called Tray Minimizer that hides application windows from the user.
Establishing Persistence and Covering Tracks
After deploying AnyDesk, the script configures the remote access tool with a preset password, allowing attackers to connect without any on-screen prompts. The malware then packages AnyDesk’s configuration files into a new password-protected archive and emails it to an attacker-controlled address using a legitimate SMTP mailing utility. To maintain long-term access, the script creates a scheduled task disguised as a routine update, ensuring the hidden tray tool restarts at every user login. Finally, the malicious script deletes all command files, logs, archives, and the decoy PDF, effectively removing most forensic evidence. Because AnyDesk is legitimate software, traditional signature-based detection often fails to flag the intrusion, making behavioral monitoring for scheduled task creation and archive exfiltration a more effective detection method.
Impact and Scope
Seqrite researchers identified the campaign and linked it to a threat actor known as Rare Werewolf, which has previously targeted industrial, engineering, and aerospace organizations in Russia, Belarus, and Kazakhstan. The attack appears focused on long-term espionage rather than immediate financial gain, though related campaigns from the same actor have deployed cryptocurrency miners after establishing access. Organizations in aerospace and related industrial sectors should exercise caution with unexpected invoice emails from newly registered domains and monitor for unauthorized scheduled tasks or unexpected remote access installations.
Source: Cyber Security News
