A never-before-seen remote access trojan (RAT) has been discovered in a set of campaigns targeting the energy sector, with a slew of post-exploitation tools to log keystrokes, record footage from webcams and steal browser credentials.
Researchers called the malware “PoetRAT” due to various references to sonnets by English playwright William Shakespeare throughout the macros, which was embedded in malicious Word documents that were part of the campaign. Further analysis of the RAT and its distribution reveals a carefully planned, highly targeted campaign against public and the private Azerbaijan sectors as well as SCADA systems.
“We observed an actor using multiple tools and methodologies to carry out their full attack chain,” Warren Mercer, Paul Rascagneres and Vitor Ventura with Cisco Talos, in a Thursday analysis. “Talos identified multiple lure documents during this campaign which all made use of Visual Basic macros and then Python to carry out their attacks on victims. The adversaries’ targets are very specific and appear to be mostly Azerbaijan organizations in the public and private sectors, specifically ICS and SCADA systems in the energy industry.”
At this time, researchers told Threatpost they aren’t sure who is behind the malware, or how they are distributing it. However, given that the initial foothold is established via a malicious Word document, researchers guess that victims are tricked into downloading the document via email or a social media message.
Researchers discovered three separate documents distributing the malware. The first, from February 2020, revealed blurred pictures with no text. One of those blurred pictures was the logo for the DRDO, the Defense Research and Development Organization, of the Ministry of Defense of India (researchers said there’s evidence that India is targeted by this actor, however).
In April, researchers came across two documents distributing the RAT, both of which used lures related to the ongoing coronavirus pandemic. The first, which contained unreadable content, was named “C19.docx,” likely a reference to COVID-19. The second was named “”Azerbaijan_special[.]doc” (this time having evolved to look more realistic) – this one was written in Russian and purported to be an Azerbaijan government document.
All files were located on a server tied back to: hxxp://govaz[.]herokuapp[.]com/content/section_policies[.]docx. Researchers also found a phishing campaign linked to this server purporting to be from the webmail of the Azerbaijan government, the purpose of which was to steal credentials.
“We believe this phishing page was used to phish for credentials from the Azerbajian government platform,” Mercer told Threatpost. “We cannot specifically say if there was a similar phishing campaign for the energy sector also.”
The RAT
For all of these documents, once the macros are enabled, a Visual Basic script dropper is executed. The script loads its own document into memory, which is a ZIP file (“smile.zip”) that contains a Python interpreter, as well as a Python script that is the RAT.
Meanwhile, the Word macros will also unzip and execute a main script called “launcher.py,” which checks the environment, where the document is being opened, to make sure it’s not a sandbox (if it has hard drives smaller than 62GB). If it determines that it’s in a sandbox environment, it deletes the malware scripts.
“We saw the almost exclusive use of Python for the attacker, to the point where they brought the whole interpreter with them to their victim machines,” Mercer told Threatpost. ‘This is quite interesting because Python executions are generally not under the same scrutiny as, say, Powershell, but it can have equally damaging impacts on your environment.”
The RAT itself is comprised of two main scripts: “frown.py,” responsible for the communications with the command and control (C2), and “smile.py,” responsible for the execution of the C2 commands. These commands obtain system information, take screenshots, copy, compress and hide files and more.
During the campaign, the operator deployed additional post-exploitation tools on the targeted systems, including a tool, “dog.exe,” that monitors hard drive paths to exfiltrate the information via an email account or a File Transfer Protocol (FTP), depending on the configuration. Another tool, “Bewmac,” enables the attacker to record the victim’s camera. Researchers also came across other tools, including a keylogger, a browser credential stealer, an open-source framework for privilege escalation (WinPwnage) and an open-source pentesting and network scanning tool (Nmap).
“The actor monitored specific directories, signaling they wanted to exfiltrate certain information on the victims,” said researchers. “The attacker wanted to gain a full picture of the victim by using a keylogger, browser credential stealers and Mimikatz and pypykatz for further credential harvesting… The attacker wanted not only specific information obtained from the victims but also a full cache of information relating to their victim. They would have been able to gain potentially very important credentials and information using these techniques given their victimology.”
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.