Unknown attackers specifically target Russian companies with malware that enables remote control and information theft from infected machines. According to Malwarebytes, a government-controlled military company is one of the Russian enterprises that was targeted by this spyware.
“Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK,” said the Malwarebytes Labs research experts.
This remote access trojan (RAT), known as Woody Rat, has been employed in cyberattacks for at least a year and has a wide variety of capabilities. Currently, this malware is spread via phishing emails using either ZIP archive files containing the malicious payload or “Information security memo” Microsoft Office documents that drop the payloads using the Follina weakness.
“The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group,” said the researchers. “When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by MalwareHunterTeam.”
Its list of capabilities includes gathering system data, displaying open directories and processes, executing instructions and files from its command-and-control (C2) server, downloading, uploading, and erasing files on infected computers, and capturing screenshots. Using two DLLs called WoodySharpExecutor and WoodyPowerSession, Woody Rat can also run.NET code, PowerShell commands, and scripts it receives from its C2 server.
When the malware is activated on a compromised device, it employs process hollowing to inject itself into a Notepad process that has been suspended, deletes itself from the disk to avoid being discovered by the security software, and then restarts the thread. The RAT encrypts its C2 communication channels using RSA-4096 and AES-CBC to avoid network-based surveillance. Malwarebytes has not yet linked the malware and the cyberattacks to a well-known threat group, but it has stated that Chinese and North Korean APTs are on a very short list of candidates.
The researchers concluded that this extremely skilled Rat belongs to the group of unknown threat actors they monitor. Historically, Chinese APTs like the Tonto team and North Korea’s Konni have targeted Russia. However, based on the information gathered, there were no clear signs that would have linked this effort to a particular threat actor. This is consistent with recent data from many other suppliers who have identified Chinese cyber organizations targeting aerospace companies, government agencies, and Russian officials.