Headline
Woody RAT: A new feature-rich malware spotted in the wild
Categories: Threat Intelligence Tags: APT
Tags: rat
Tags: russia
The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities.
(Read more…)
The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.
This blog post was authored by Ankur Saini and Hossein Jazi
The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.
This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.
Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK.
In this blog post, we will analyze Woody Rat’s distribution methods, capabilities as well as communication protocol.
Distribution methods
Based on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.
The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.
The following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:
Woody Rat distribution methods
Archive files
In this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:
- anketa_brozhik.doc.zip: It contains Woody Rat with the same name: Anketa_Brozhik.doc.exe.
- zayavka.zip: It contains Woody Rat pretending to be an application (application for participation in the selection.doc.exe).
Follina vulnerability
The threat actor is using a Microsoft Office document (Памятка.docx) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called "Information security memo" which provide security practices for passwords, confidential information, etc.
Document lure
Woody Rat Analysis
The threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:
Debug Information
A lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.
main function
As we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.
Deriving the Cookie
The malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.
A combination of GetAdaptersInfo, GetComputerNameA and GetVolumeInformationW functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.
get_cookie_data function
Data encryption with HTTP requests
To evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the BCryptImportKeyPair function.
The malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using BCryptGenerateSymmetricKey which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses BCryptEncrypt and BCryptDecrypt respectively.
RSA Encryption routine
AES Encryption Routine
C2 HTTP endpoint request
knock - This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.
The data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.
knock request headers
submit - This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. Data sent via submit API includes:
- OS
- Architecture
- Antivirus installed
- Computer Name
- OS Build Version
- .NET information
- PowerShell information
- Python information (Install path, version etc.)
- Storage drives - includes Drive path, Internal name etc.
- Environment Variables
- Network Interfaces
- Administrator privileges
- List of running processes
- Proxy information
- Username
- List of all the User accounts
The malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.
ping - The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with “_CRY” then the malware proceeds to send the knock request again but if the C2 responds with “_ACK” the response contains additional information about which command should be executed by the malware.
The malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.
C2 Commands
The malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.
Command execution routine
_SET Commands
- PING - This command is used to set the sleep interval between every ping request to the C2.
- PURG - Unknown command
- EXIT - Exit the command execution thread.
_REQ Commands
- EXEC (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using ReadFile from the named pipe and then “_DAT” is appended to this data before it is AES encrypted and sent to the C2.
EXEC command
- UPLD (Upload) - The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.
- INFO (Submit Information) - The INFO command is similar to the “submit” request above; this command sends the exact information to the C2 as sent by the “submit” request.
INFO command
- UPEX (Upload and Execute) - This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.
- DNLD (Download) - The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.
- PROC (Execute Process) - The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.
- UPPR (Upload and Execute Process) - This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.
- SDEL (Delete File) - This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.
- _DIR (List directory) - This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:
- Filename
- Type (Directory, Unknown, File)
- Owner
- Creation time
- Last access time
- Last write time
- Size
- Permissions
- STCK (Command Stack) - This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.
- SCRN (Screenshot) - This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.
- INJC (Process Injection) - The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.
INJC routine
- PSLS (Process List) - Calls NtQuerySystemInformation with SystemProcessInformation to retrieve an array containing all the running processes. Information sent about each process to the C2:
- PID
- ParentPID
- Image Name
- Owner
- DMON (Creates Process) - The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.
- UPDM (Upload and Create Process) - Allows the C2 and upload a file and then execute it using DMON command.
SharpExecutor and PowerSession Commands
Interestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named WoodySharpExecutor and WoodyPowerSession respectively. WoodySharpExecutor provides the malware ability to run .NET code received from the C2. WoodyPowerSession on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.
WoodyPowerSession makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:
SharpExecutor and PowerSession methods
We will look at the commands utilising these DLLs below:
- DN_B (DotNet Binary) - This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.
- DN_D (DotNet DLL) - This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.
- PSSC (PowerSession Shell Command) - Allows the malware to receive a Base64 encoded PowerShell command and execute it.
- PSSS (PowerSession Shell Script) - This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.
- PSSM (PowerSession Shell Module) - This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.
Malware Cleanup
After creating the command threads, the malware deletes itself from disk. It uses the more commonly known ProcessHollowing technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using NtWriteVirtualMemory. The entry point of the thread is set by using the NtSetContextThread method and then the thread is resumed. This leads to the deletion of the malware from disk.
Malware deletes itself
Unknown threat actor
This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.
Malwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.
IOCs
Woody****Rat:
- 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
- 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
- b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
- 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
- 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
- 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
- 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
- 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
- 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d
C2s:
- kurmakata.duckdns[.]org
- microsoft-ru-data[.]ru
- 194.36.189.179
- microsoft-telemetry[.]ru
- oakrussia[.]ru
Follina Doc:
Памятка.docx
ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb
Follina html file:
garmandesar.duckdns[.]org:444/uoqiuwef.html
Woody Rat url:
fcloud.nciinform[.]ru/main.css (edited)
Related news
By Deeba Ahmed The RomCom RAT is also tracked as Tropical Scorpius, Void Rabisu, and UNC2596. This is a post from HackRead.com Read the original post: RomCom RAT Targets Pro-Ukraine Guests at Upcoming NATO Summit
Whitepaper called Bughunter's Life-Style: A DIY guide to become an alone long time bughunter for ordinary people. Written in Spanish.
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
Former members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022. The findings, which come from Google's Threat Analysis Group (TAG), builds upon a prior report published in July 2022, detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war. "UAC-0098 is a threat
Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites. Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and
A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. "Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin said in a report this week. Tracked as CVE-2022-30190, the
Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.
Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.
Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.
A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you! Talos... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.
An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in
"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.