Security
Headlines
HeadlinesLatestCVEs

Headline

Woody RAT: A new feature-rich malware spotted in the wild

The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities. The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#web#mac#windows#microsoft#intel#auth#ssh

This blog post was authored by Ankur Saini and Hossein Jazi

The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.

This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.

Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK.

In this blog post, we will analyze Woody Rat’s distribution methods, capabilities as well as communication protocol.

Distribution methods

Based on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.

The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.

The following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:

Woody Rat distribution methods

Archive files

In this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:

  • anketa_brozhik.doc.zip: It contains Woody Rat with the same name: Anketa_Brozhik.doc.exe.
  • zayavka.zip: It contains Woody Rat pretending to be an application (application for participation in the selection.doc.exe).

Follina vulnerability

The threat actor is using a Microsoft Office document (Памятка.docx) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called “Information security memo” which provide security practices for passwords, confidential information, etc.

Document lure

Woody Rat Analysis

The threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:

Debug Information

A lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.

main function

As we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.

Deriving the Cookie

The malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.

A combination of GetAdaptersInfo, GetComputerNameA and GetVolumeInformationW functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.

get_cookie_data function

Data encryption with HTTP requests

To evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the BCryptImportKeyPair function.

The malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using BCryptGenerateSymmetricKey which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses BCryptEncrypt and BCryptDecrypt respectively.

RSA Encryption routine

AES Encryption Routine

C2 HTTP endpoint request

knock – This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.

The data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.

knock request headers

submit – This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. Data sent via submit API includes:

  • OS
  • Architecture
  • Antivirus installed
  • Computer Name
  • OS Build Version
  • .NET information
  • PowerShell information
  • Python information (Install path, version etc.)
  • Storage drives – includes Drive path, Internal name etc.
  • Environment Variables
  • Network Interfaces
  • Administrator privileges
  • List of running processes
  • Proxy information
  • Username
  • List of all the User accounts

The malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.

ping – The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with “_CRY” then the malware proceeds to send the knock request again but if the C2 responds with “_ACK” the response contains additional information about which command should be executed by the malware.

The malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.

C2 Commands

The malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.

Command execution routine

_SET Commands

  • PING – This command is used to set the sleep interval between every ping request to the C2.
  • PURG – Unknown command
  • EXIT – Exit the command execution thread.

_REQ Commands

  • EXEC (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using ReadFile from the named pipe and then “_DAT” is appended to this data before it is AES encrypted and sent to the C2.

EXEC command

  • UPLD (Upload) – The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.
  • INFO (Submit Information) – The INFO command is similar to the “submit” request above; this command sends the exact information to the C2 as sent by the “submit” request.

INFO command

  • UPEX (Upload and Execute) – This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.
  • DNLD (Download) – The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.
  • PROC (Execute Process) – The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.
  • UPPR (Upload and Execute Process) – This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.
  • SDEL (Delete File) – This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.
  • _DIR (List directory) – This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:
    • Filename
    • Type (Directory, Unknown, File)
    • Owner
    • Creation time
    • Last access time
    • Last write time
    • Size
    • Permissions
  • STCK (Command Stack) – This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.
  • SCRN (Screenshot) – This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.
  • INJC (Process Injection) – The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.

INJC routine

  • PSLS (Process List) – Calls NtQuerySystemInformation with SystemProcessInformation to retrieve an array containing all the running processes. Information sent about each process to the C2:
    • PID
    • ParentPID
    • Image Name
    • Owner
  • DMON (Creates Process) – The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.
  • UPDM (Upload and Create Process) – Allows the C2 and upload a file and then execute it using DMON command.

SharpExecutor and PowerSession Commands

Interestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named WoodySharpExecutor and WoodyPowerSession respectively. WoodySharpExecutor provides the malware ability to run .NET code received from the C2. WoodyPowerSession on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.

WoodyPowerSession makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:

SharpExecutor and PowerSession methods

We will look at the commands utilising these DLLs below:

  • DN_B (DotNet Binary) – This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.
  • DN_D (DotNet DLL) – This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.
  • PSSC (PowerSession Shell Command) – Allows the malware to receive a Base64 encoded PowerShell command and execute it.
  • PSSS (PowerSession Shell Script) – This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.
  • PSSM (PowerSession Shell Module) – This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.

Malware Cleanup

After creating the command threads, the malware deletes itself from disk. It uses the more commonly known ProcessHollowing technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using NtWriteVirtualMemory. The entry point of the thread is set by using the NtSetContextThread method and then the thread is resumed. This leads to the deletion of the malware from disk.

Malware deletes itself

Unknown threat actor

This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, nased on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.

Malwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.

IOCs

Woody Rat:

  • 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
  • 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
  • b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
  • 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
  • 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
  • 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
  • 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
  • 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
  • 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d

C2s:

  • kurmakata.duckdns[.]org
  • microsoft-ru-data[.]ru
  • 194.36.189.179
  • microsoft-telemetry[.]ru
  • oakrussia[.]ru

Follina Doc:
Памятка.docx
ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb
Follina html file:
garmandesar.duckdns[.]org:444/uoqiuwef.html
Woody Rat url:
fcloud.nciinform[.]ru/main.css (edited)

Related news

Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware

The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV.

2022's most routinely exploited vulnerabilities—history repeats

Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.

RomCom RAT Targeting NATO and Ukraine Support Groups

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023. RomCom, also tracked under the names

Microsoft Follina Bug Is Back in Meme-Themed Cyberattacks Against Travel Orgs

A two-bit comedian is using a patched Microsoft vulnerability to attack the hospitality industry, and really laying it on thick along the way.

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The

CVE-2022-32277: SpiderLabs Blog

Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Microsoft Issues Patches for 121 Flaws, Including Zero-Day Under Active Attack

As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild. Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues

Hackers Exploiting Follina Bug to Deploy Rozena Backdoor

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. "Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin said in a report this week. Tracked as CVE-2022-30190, the

Microsoft Patch Tuesday June 2022: Follina RCE, NFSV4.1 RCE, LDAP RCEs and bad patches

Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239094 On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 […]

Update now!  Microsoft patches Follina, and many other security updates

Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now!  Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.

Patch Tuesday: Microsoft Issues Fix for Actively Exploited 'Follina' Vulnerability

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser. <!-

Microsoft Office Word MSDTJS Code Execution

This Metasploit module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code.

CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now. The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

By Waqas The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a… This is a post from HackRead.com Read the original post: Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

Microsoft Office MSDT Follina Proof Of Concept

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows Server 2012 5015805 Download Windows 7, Windows Server 2008 R2 5015805 Download Windows Server 2008 SP2 5015805 Download On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.