As the title suggests, Russian organizations are under attack by a new remote access trojan named Woody RAT. The threat actor remains unknown and the malware has been active in the wild for at least a year.

Diving into details

  • The malware was being delivered via archive files and MS Office documents by abusing the Follina vulnerability.  
  • A fake domain registered by the threat actors revealed that they attempted to target a Russian aerospace and defense firm, named OAK. 
  • Phishing emails are distributed via two methods - ZIP archive files with the malicious payload; and “Information Security memo” MS documents that abuse Follina.

Woody’s features

  • It can accumulate system information; list folders and running processes; execute commands received from the C2 server; and download, upload, and delete files on compromised machines. 
  • Woody RAT can, furthermore, execute PowerShell commands and scripts and .NET code received from the C2 server.
  • Following its launch, the malware uses process hollowing to insert itself into a suspended Notebook process. Subsequently, it deletes itself from the disk and resumes the thread.

Latest RATs in headlines

  • One of the latest malware family, named Manjusaka, was found advertising itself as an alternative to Cobalt Strike and Sliver. Its RAT implants can execute commands, access files, and perform reconnaissance, among others. 
  • The STIFF#BIZON campaign was found disseminating Konni RAT. The campaign was conducted by North Korea-based APT37 against Poland and the Czech Republic.

The bottom line

While RATs have always been a popular tool among cybercriminals, lately, it has gained more prevalence and greater use by financially-motivated threat actors. Moreover, the rise in the use of RATs has been caused due to developers making their malware cheaper and more readily accessible. The emergence of new RATs and the increase in malicious activities leveraging RATs highlight the importance of having complete visibility into the threat landscape, which can be obtained through sharing threat intelligence and implementing advanced defense solutions.
Cyware Publisher