The Risk Intelligence staff of Malwarebytes found a brand new Distant Entry Trojan known as ‘Woody Rat’ that targets Russian entities by utilizing lures in archive file format and Workplace paperwork leveraging the Follina vulnerability.
Malwarbytes researchers said that the menace actors goal to focus on a Russian aerospace and protection entity known as ‘OAK’.
Distant Entry Trojan – Woody Rat
In accordance with the researchers, Woody Rat has been distributed utilizing two completely different codecs particularly, archive recordsdata and Workplace paperwork utilizing the Follina vulnerability.
The Follina vulnerability permits an attacker to execute arbitrary code utilizing a malicious Phrase doc. This vulnerability leverages the built-in MS URL handlers to set off msdt.exe, this course of can then be used to execute PowerShell instructions.
On this case, the menace actor is utilizing a Microsoft Workplace doc that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat.
The preliminary variations of this Rat had been archived into a zipper file pretending to be a doc particular to a Russian group. However after the arrival of Follina vulnerability, menace actors switched to it to distribute the payload.
Within the Archive recordsdata methodology, Woody Rat is packaged into an archive file and despatched to victims. It’s believed that these archive recordsdata have been distributed utilizing spear phishing emails. As an example: anketa_brozhik.doc.zip: Incorporates Woody Rat with the identical title: Anketa_Brozhik.doc.exe.
Subsequently the distribution strategies collect system data, checklist folders and working processes, execute the instructions and recordsdata acquired from the command-and-control (C2) server, downloading, add, and delete recordsdata on contaminated machines, and take screenshots.
Consultants say this Rat can execute .NET code and PowerShell instructions and scripts acquired from its C2 server utilizing two DLLs named WoodySharpExecutor and WoodyPowerSession.
“Traditionally, Chinese language APTs equivalent to Tonto staff in addition to North Korea with Konni have focused Russia. Nevertheless, based mostly on what we had been capable of gather, there weren’t any strong indicators to attribute this marketing campaign to a selected menace actor”, say the researchers.
You possibly can comply with us on Linkedin, Twitter, Fb for every day Cybersecurity updates.
