In light of all of the Russian ransomware attacks on organizations worldwide, a dose of Schadenfreude is a welcome sign. For our non-German readers: “Schadenfreude is the experience of pleasure, joy, or self-satisfaction that comes from learning of or witnessing the troubles, failures, or humiliation of another (especially an adversary). It is a borrowed word from German, with no direct translation, that originated in the 18th century.”
An unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called Woody RAT for at least a year as part of a spear-phishing campaign.[1] The advanced custom backdoor is said to be delivered via either of two methods: archive files or Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190) in Windows.
Like other implants engineered for espionage-oriented operations, Woody RAT has a wide range of features that enables the threat actor to remotely commandeer and steal sensitive information from the infected systems. This malicious software that has been targeting Russian organizations. The mysterious group attempted to strike a Russian aerospace and defense entity known as OAK.
The Woody RAT enables remote control over infected devices. It can perform a broad range of commands and functions extract a wide variety of system data, like the operating system version and architecture, computer name, PowerShell information, user accounts and privileges, network data, and running processes. It can also gather personal information, like names, types, formats, permissions, etc. The RAT can download files and even take screenshots. The Woody RAT also can upload files and launch them. This allows cybercriminals can install Trojans, ransomware, and other malware. "The earliest versions of this RAT were typically archived into a ZIP file pretending to be a document specific to a Russian group," according to researchers exposed in a recent report. "When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload.”
Attacks leveraging the Windows flaw as part of this campaign first came to light on 7 June 2022, when researchers from the MalwareHunterTeam disclosed the use of a document named "Памятка.docx" (which translates to "Memo.docx") to deliver a CSS payload containing the trojan. The document allegedly offers best security practices for passwords and confidential information, among others, while acting as a decoy for dropping the backdoor. Besides encrypting its communications with a remote server, Woody RAT is equipped with capabilities to write arbitrary files to the machine, execute additional malware, delete files, enumerate directories, capture screenshots, and gather a list of running processes.
Also embedded within the malware are two .NET-based libraries named WoodySharpExecutor and WoodyPowerSession that can be used to run .NET code and PowerShell commands received from the server, respectively. In addition, the malware makes use of the process hollowing technique to inject itself into a suspended Notepad process and deletes itself from the disk to evade detection from security software installed on the compromised host.
Figure 1. Malwarebytes |
Researchers have yet to attribute the attacks to a specific threat actor, citing lack of solid indicators linking the campaign to a previously known group, although Chinese and North Korean nation-state collectives have targeted Russia in the past. This is interesting as a “rat” is also considered someone who desert one's party, side, or cause.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2022/08/new-woody-rat-malware-being-used-to.html
Comments