For at least a year, an unknown threat actor has been spear-phishing Russian entities with a newly discovered remote access trojan known as Woody RAT.
The advanced custom backdoor is believed to be delivered via one of two methods: archive files and Microsoft Office documents using the now-patched “Follina” support diagnostic tool vulnerability (CVE-2022-30190) in Windows.
The Woody RAT implant, like other implants designed for espionage-focused operations, has a variety of characteristics that allow the threat actor to remotely hijack and steal confidential data from the infected devices.
Ankur Saini and Hossein Jazi, researchers at Malwarebytes, stated in a report published this week that the initial versions of this RAT were frequently stored as a ZIP file that claimed to be a document particular to a Russian organization.
“When the Follina vulnerability was publicly disclosed, the threat actor shifted to using it to disseminate the payload.”
In one case, the hacking group made an effort to attack the Russian aerospace and military company OAK using information obtained from a fake domain that was created solely for this reason.
On June 7, 2022, researchers from the MalwareHunterTeam revealed the usage of a document titled “aмтка.docx” (which translates to “Memo.docx”) to deliver a CSS payload containing the trojan. Since then, attacks utilising the Windows weakness as part of this campaign have been more widely known.
The paper serves as a deception to introduce the backdoor while purportedly providing recommended security procedures for passwords and other private information.
In addition to encrypting its interactions with a remote server, Woody RAT has the ability to launch other malware, write arbitrary files to the system, delete files, enumerate directories, take screenshots, and assemble a list of active processes.
Two .NET-based libraries with the names WoodySharpExecutor and WoodyPowerSession that may be used to execute .NET code and PowerShell commands obtained from the server, respectively, are also contained within the virus.
In order to avoid detection by security software installed on the infected host, the virus also use the process hollowing technique to inject itself into a halted Notepad process and deletes itself from the disc.
Malwarebytes has not yet assigned responsibility for the assaults to a single threat actor, claiming a lack of convincing evidence connecting the campaign to a previously recognised group, despite the fact that nation-state collectives from China and North Korea have previously attacked Russia.