A group of unidentified threat actors has targeted several Russian organisations with a new malware called Woody RAT. This RAT enables the attackers to take over and steal troves of data from infected devices remotely.
One of the Russian entities that were compromised by this malware is a government-managed defence corporation. The researchers then added that the attackers registered a fake domain and showed that they attempted to target the Russian aerospace and defence corporation called OAK.
Woody RAT has various capabilities that threat actors have utilised for at least a year.
Based on reports, Woody RAT is currently transferred onto targeted devices via phishing emails. Additionally, there are two vectors for distributing the malware. The first vector is through ZIP archive files containing the payload. The other transmitter is an MS Office document that exploits the Follina flaw to drop the payload.
The Woody RAT can execute different capabilities such as harvesting system information, listing folders, and running processes. It can also execute commands and files retrieved from its C2 server, downloading, uploading, and removing files on compromised devices.
Furthermore, the malware can operate PowerShell commands and [.]NET code and scripts gathered from its command-and-control server using two DLLs called WoodyPowerSession and WoodySharpExecutor.
Once the RAT is launched by its operators on an infected device, the malware utilises process hollowing tactics to inject itself into a suspended Notepad process. Subsequently, the malware will delete itself from the disk to avoid getting detected by security solutions.
Woody RAT can also encrypt its command-and-control communication channels using a mixture of AES-CBC and RSA-4096 to bypass network-based monitoring. Researchers have yet to link the malware and the campaign to any notorious threat group. However, few possible candidates may be the actors behind the attack, especially the North Korean and Chinese-based APT groups.
Most researchers claim that this malware is closely related to the Chinese advanced persistent threat group since incidents from China target the Russian organisation. Therefore, experts suggest that Russian entities look for potential threats that will appear soon.
