Malwarebytes researchers observed an unknown threat actor targeting Russian organizations with a new remote access trojan called Woody RAT. The attackers were delivering the malware using archive files and Microsoft Office documents exploiting the Follina Windows flaw (CVE-2022-30190).
The assumption that attackers focus on Russian entities is based on a fake domain they registered, Malwarebytes is aware that they tried to target a Russian aerospace and defense entity known as OAK.
“The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.” states the report published by Malwarebytes.
In the attacks leveraging the archive files (anketa_brozhik.doc.zip, which contains Woody Rat executable, and Anketa_Brozhik.doc.exe, zayavka.zip containing Woody Rat masqueraded as application participation in the selection.doc.exe), the archives are sent to victims via spear-phishing emails.
Attacks exploiting the Windows Follina flaw were spotted on June 7, 2022, when researchers observed threat actors using a weaponized Microsoft Office document titled Памятка.docx. The lure document, called “Information security memo,” provides security practices for passwords, confidential information, etc.
To evade network-based monitoring, the Woody RAT malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the command and control server.
The RAT is equipped with multiple backdoor capabilities, such as writing arbitrary files to the machine, executing additional malware, capturing screenshots, enumerating directories, deleting files, and gathering a list of running processes.
The analysis of the malicious code revealed that the malware has 2 .NET DLLs embedded inside named named WoodySharpExecutor and WoodyPowerSession respectively. WoodySharpExecutor allows the malware to run .NET code received from the C2, while WoodyPowerSession allows the malware to execute PowerShell commands and scripts received from the C2.
Once created the command threads, the malware deletes itself from the disk using the ProcessHollowing technique.
“This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.” concludes the report.
(SecurityAffairs – hacking, Woody RAT)