Security researchers observed multiple new campaigns with modified PoetRAT targeting various public and private sector in Azerbaijan.
The threat actor uses malicious word documents to trick the victims into downloading the malicious document from temporary hosting providers.
The RAT was observed earlier this year using COVID-19 lures to target citizens of Azerbaijan, Government, and Energy Sectors.
The RAT has tools to monitor the hard disk and to exfiltrate the data automatically, along with that it has additional RAT features such as keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers.
The threat actor uses Word documents to drop the malware, it also contains additional malicious macros, which in turn download additional payloads.
Previous versions of the PoetRAT Python interpreter to execute the source code, but the new version of the RAT uses Lua script.
Multiple campaigns observed, in one of the campaign, the word document contains blurred scripts and has the National Emblem of Azerbaijan in the top corners.
Once the user opens the malicious documents it drops Python interpreter and PoetRAT, also the new version uses HTTP protocol for C2 server communication.
In another campaign, the word document alleged to be from the State Service for Mobilization and Conscription of Azerbaijan.
With all the campaigns the attacker continuous to targets VIPs and the public sector and tries to exfiltrate sensitive documents from the compromised systems.