Malwarebytes researchers discovered an unidentified malicious actor who has been victimizing Russian organizations with a brand new remote access trojan named Woody RAT for at least a year as part of a spear-phishing campaign.
The Malware was being delivered via two methods: archive files and Microsoft Office documents compromising the Follina Windows Flaw (CVE-2022-30190).
Like other state sponsors of cyber operations, Woody RAT facilitates a wide range of features that allows the group of threat actors to take full remote control of the system and steal important data from the infected systems.
The team said that the attackers mainly focused on Russian organizations based on a fake domain they have registered, Malwarebytes is well aware of the fact that the attackers tried to target a Russian aerospace and defense entity known as OAK.
“The earliest versions of this Rat were typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.” states the report published by Malwarebytes.
As per the technical data, the RAT is advanced malware that is equipped with multiple backdoor capabilities including writing arbitrary files to the machine, capturing screenshots, executing additional malware, enumerating directories, deleting files, and gathering a list of running processes.
Also, the malware has two malicious codes; NET DLLs embedded inside named WoodySharpExecutor and WoodyPowerSession. WoodySharpExecutor allows the malware to run the NET code received from the C2, while WoodyPowerSession enables the malware to execute PowerShell commands and scripts received from the C2.
Once the command threads are created the malware removes itself from the disk with the help of the ProcessHollowing technique.
“This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as the Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor,” concludes the report.
