Cisco Talos researchers have uncovered a new Coronavirus-themed campaign employing a previously-undiscovered RAT tracked as PoetRAT.
The attacks targeted the Azerbaijan government and utility companies, the malicious code was designed to infect supervisory control and data acquisition (SCADA) systems, broadly used in the energy and manufacturing industries.
“Cisco Talos has discovered a new malware campaign based on a previously unknown family we’re calling “PoetRAT.” At this time, we do not believe this attack is associated with an already known threat actor.” reads the analysis published by Cisco Talos. “Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems.”
Experts believe the attack was carried out by an already known threat actor.
The malware infected ICS and SCADA systems used to control the wind turbines within the renewable energy sector.
Attackers launched phishing attacks using weaponized Microsoft Word documents, experts identified three separate phishing attacks that used COVID19 as a lure.
The messages used a document named “C19.docx,” they claim to be from departments from the Azerbaijan government and India’s Ministry of Defense.
The name PoetRAT comes from various references to the English poet William Shakespeare, the malware implements RAT standard features and uses FTP for data
Upon enabling the macros a dropper downloads and executes the PoetRAT.
“This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it’s streamlined to deploy additional tools as needed and to avoid unnecessary steps.” continues the analysis.
The malicious code is not directly loaded as an executable, it is written to disk as an archive named “smile.zip” that is appended at the end of the word document.
The .zip archive contains a Python script and interpreter, the Word macros checks for a sandbox environment. The macros checks weather the hard drives are smaller than 62GB, which could be an indication of being in the presence of a sandbox. If a sandbox is detected, the malware is overwritten and deleted.
The Python Trojan is composed of two main scripts, “frown.py” which is used to communicate with the C2 and “smile.py,” which executes a range of other commands (i.e. directory listing, exfiltrating PC information, taking screenshots, copying, moving, and archiving content, uploading stolen files, and killing, clearing, or terminating processes).
Experts noticed the use of a .NET malware module named dog.exe, that monitors hard drive paths and automatically exfiltrates data via either an email account or FTP.
The PoetRAT gains persistence creating registry keys, the malware makes several modifications to the registry entries in order to skip sandbox evasion checks.
Talos experts also found a phishing website hosted on the same infrastructure that mimics the webmail of the Azerbaijan Government webmail infrastructure.
“The actor monitored specific directories, signaling they wanted to exfiltrate certain information on the victims,” Talos says. “Based on our research, the adversaries may have wanted to obtain important credentials from officials in Azerbaijan’s government. The attacker wanted not only specific information obtained from the victims but also a full cache of information relating to their victim.”
Talos’s report also includes the Indicators of Compromise of the campaign.