Wednesday, April 24, 2024

A New Remote Access Trojan Dubbed Woody Rat Delivered as Office Documents

The Threat Intelligence team of Malwarebytes discovered a new Remote Access Trojan called ‘Woody Rat’ that targets Russian entities by using lures in archive file format and Office documents leveraging the Follina vulnerability.

Malwarbytes researchers stated that the threat actors aim to target a Russian aerospace and defense entity called ‘OAK’.

Remote Access Trojan – Woody Rat

According to the researchers, Woody Rat has been distributed using two different formats namely, archive files and Office documents using the Follina vulnerability.

The Follina vulnerability allows an attacker to execute arbitrary code using a malicious Word document. This vulnerability leverages the built-in MS URL handlers to trigger msdt.exe, this process can then be used to execute PowerShell commands.

In this case, the threat actor is using a Microsoft Office document that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat.
Woody Rat distribution methods

The initial versions of this Rat were archived into a zip file pretending to be a document specific to a Russian group. But after the arrival of Follina vulnerability, threat actors switched to it to distribute the payload.

In the Archive files method, Woody Rat is packaged into an archive file and sent to victims. It is believed that these archive files have been distributed using spear phishing emails. For instance: Contains Woody Rat with the same name: Anketa_Brozhik.doc.exe.

Therefore the distribution methods gather system information, list folders and running processes, execute the commands and files received from the command-and-control (C2) server, downloading, upload, and delete files on infected machines, and take screenshots.

Experts say this Rat can execute .NET code and PowerShell commands and scripts received from its C2 server using two DLLs named WoodySharpExecutor and WoodyPowerSession.

“Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor”, say the researchers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.


Latest articles

Spyroid RAT Attacking Android Users to Steal Confidential Data

A new type of Remote Access Trojan (RAT) named Spyroid has been identified.This...

Researchers Uncover that UK.GOV Websites Sending Data to Chinese Ad Vendor Analysts

Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites...

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members...

IBM Nearing Talks to Acquire Cloud-software Provider HashiCorp

IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure...

Rewards Up to $10 Million for Information on Iranian Hackers

The United States Justice Department has announced big rewards for information leading to the...

PoC Exploit Released For Critical Oracle VirtualBox Vulnerability

Oracle Virtualbox was identified and reported as having a critical vulnerability associated with Privilege...

Tracing the Steps of Cyber Intruders: The Path of Lateral Movement

When cyber attacks strike, it's rarely a single computer that suffers. Nowadays, cybercriminals set...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles