Saturday, July 20, 2024
EHA

A New Remote Access Trojan Dubbed Woody Rat Delivered as Office Documents

The Threat Intelligence team of Malwarebytes discovered a new Remote Access Trojan called ‘Woody Rat’ that targets Russian entities by using lures in archive file format and Office documents leveraging the Follina vulnerability.

Malwarbytes researchers stated that the threat actors aim to target a Russian aerospace and defense entity called ‘OAK’.

Remote Access Trojan – Woody Rat

According to the researchers, Woody Rat has been distributed using two different formats namely, archive files and Office documents using the Follina vulnerability.

The Follina vulnerability allows an attacker to execute arbitrary code using a malicious Word document. This vulnerability leverages the built-in MS URL handlers to trigger msdt.exe, this process can then be used to execute PowerShell commands.

In this case, the threat actor is using a Microsoft Office document that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat.

https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure1.png
Woody Rat distribution methods

The initial versions of this Rat were archived into a zip file pretending to be a document specific to a Russian group. But after the arrival of Follina vulnerability, threat actors switched to it to distribute the payload.

In the Archive files method, Woody Rat is packaged into an archive file and sent to victims. It is believed that these archive files have been distributed using spear phishing emails. For instance: anketa_brozhik.doc.zip: Contains Woody Rat with the same name: Anketa_Brozhik.doc.exe.

Therefore the distribution methods gather system information, list folders and running processes, execute the commands and files received from the command-and-control (C2) server, downloading, upload, and delete files on infected machines, and take screenshots.

Experts say this Rat can execute .NET code and PowerShell commands and scripts received from its C2 server using two DLLs named WoodySharpExecutor and WoodyPowerSession.

“Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor”, say the researchers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Website

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles