Pandemic shakespearean Remote Access Tool

April 24, 2020
remote access tool malware shakespearean antimalware rat poetrat

The exposure of the Remote Access Tool

Cisco Talos researchers, as part of their malware detection process, able to find new attacks within a specific sector in Azerbaijan, as reported. The program is a malware remote access trojan (RAT)  unknown family protocol. It can gather intel from the infected system from essential data such as passwords, access control, and even interpret images that are captured through webcam. The main target of the attack is usually the industry that manages energy networks and manufacturing systems.

Further investigation confirmed that the code used was written in Python language. Research shows that the form was similar and references to various sonnets written by English playwright William Shakespeare; thus, branding it as ‘PoetRAT.’

Since the program uses Python-based tools, malware virus protection applications may bypass or treat the code as non-invasive because many protection programs have whitelisted Python applications and their execution techniques.


The social engineering technique before the payload

With the ongoing pandemic crisis, this paves the way for the malicious attacker to bait on their victim. On the said location, the code was embedded through an email on a Word document that uses a filename that linked to COVID-19 and other news on current events. The sender of the virus hides by somewhat affiliated to the local government of Azerbaijan or India’s Ministry of Defense.

Mostly the word file has no content, but this will run the Python script in the background. The script will search first to check the environment to ensure that it is not a sandbox nor a test environment. Here is how it works:

  • The malware confirms whether or not it has successfully penetrated the production environment.
  • It will run the two program script, specifically for sending a communication to the attacker to notify that the payload has infected a system.
  • Afterward, the attacker will use the payload that has established a payload command center to execute access to the infected system through remote access.
  • In addition to this said script, hackers may install more applications to the infected system to obtain in-depth target information stored on the infected system.

Listed on the report are Dog.Exe for brute force on rewriting system important executables files to monitor hard drive configuration get information on email. Another is called ‘Bewmac’ designed especially for webcam remote access.


What comes next after the discovery

Currently, the Cybercrime Solutions team of Cisco Talos is now monitoring a phishing website that infringes the webmail system of the Azerbaijan government in addition to this attack in the country. They just released this report to notify the public and be more vigilant against this type of threat for protection and run needed software to mitigate the damage of such an attack.

iZOOlogic, on the other hand, will remain vigilant against social engineering tactics and the techniques combined with the Malware payload it brings. Every extracted data from machines and people are vital because this will inevitably lead to more phishing campaigns. Our phishing intelligence is 24/7 on the move, gathering intel taking proactive measures against emerging threats to protect different industries we work with efficiently.

About the author

Leave a Reply