blog.malwarebytes.com
Open in
urlscan Pro
130.211.198.3
Public Scan
URL:
https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/
Submission: On August 05 via api from DE — Scanned from DE
Submission: On August 05 via api from DE — Scanned from DE
Form analysis 3 forms found in the DOM
<form><span class="fieldset">
<p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
</span></form>GET
<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
<div class="searchbar-wrap-rightrail">
<label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
<input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
</label>
<button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
</button>
</div>
</form>//www.malwarebytes.com/newsletter/
<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
<div class="email-input">
<label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
<input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
</label>
<input name="source" type="hidden" value="">
<input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
</div>
</form>Text Content
Who doesn't like cookies?
We use cookies to help us enhance your online experience. If that sounds good,
click “Accept All Cookies” or review our Privacy and Cookie Policy.
Close
Accept All Cookies
* Your Privacy
* Strictly Necessary Cookies
* Performance Cookies
* Functional Cookies
* Targeting Cookies
* More Information
Privacy Preference Center
Active
Always Active
Save Settings
Allow All
The official Malwarebytes logo The official Malwarebytes logo in a blue font B
We research. You level up.
Personal
Personal
* Security & Antivirus
* Malwarebytes for Windows
* Malwarebytes for Mac
* Malwarebytes for Chromebook
* Malwarebytes Browser Guard
* Overview
* Security & Antivirus for Mobile
* Malwarebytes for Android
* Malwarebytes for iOS
* Online Privacy
* Malwarebytes Privacy VPN
* Get Started
* Explore all Personal Products
* Explore Pricing
* FREE TRIAL OF MALWAREBYTES PREMIUM
Protect your devices, your data, and your privacy—at home or on the go.
Get free trial
Business
Business
Solutions
* BY COMPANY SIZE
* Small Business
1-99 Employees
* Mid-size Businesses
100-999 Employees
* Large Enterprise
1000+ Empoyees
* BY INDUSTRY
* Education
* Finance
* Healthcare
* Government
Products
* CLOUD-BASED SECURITY MANAGEMENT AND SERVICES
* Endpoint Protection
* Endpoint Protection for Servers
* Endpoint Detection & Response
* Endpoint Detection & Response for Servers
* Incident Response
* Malware Removal Service
* Nebula Platform Architecture
* Cloud Storage Scanning Service
* CLOUD-BASED SECURITY MODULES
* DNS Filtering
* Vulnerability & Patch Management
* Remediation for CrowdStrike®
* NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
* For Teams
* Get Started
* * Find the right solution for your business
* See business pricing
--------------------------------------------------------------------------------
* Don't know where to start?
* Help me choose a product
--------------------------------------------------------------------------------
* See what Malwarebytes can do for you
* Get a free trial
--------------------------------------------------------------------------------
* Our team is ready to help. Call us now
* +1-800-520-2796
Pricing
Partners
Partners
* Explore Partnerships
* Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Partner Success Story
* Marek Drummond
Managing Director at Optimus Systems
"Thanks to the Malwarebytes MSP program, we have this high-quality product in
our stack. It’s a great addition, and I have confidence that customers’
systems are protected."
* See full story
Resources
Resources
* Learn About Cybersecurity
* Antivirus
* Malware
* Ransomware
* See all
* Malwarebytes Labs
* Explore
* Business Resources
* Reviews
* Analyst Reports
* Case Studies
* See all
* Press & News
* Learn more
* Events
*
Featured Event: RSA 2021
* See Event
Support
Support
* Technical Support
* Support
* Premium Services
* Forums
* Vulnerability Disclosure
* Training for Personal Products
* Training for Business Products
* Featured Content
*
Activate Malwarebytes Privacy on Windows device.
* See Content
FREE DOWNLOAD
CONTACT US
COMPANY
Company
* About Malwarebytes
* Careers
* News & Press
SIGN IN
Sign In
* My Account
* Cloud Console
* Partner Portal
SUBSCRIBE
Summer Sale - 40% off personal devices bundle. Buy Now >
New business customers save 15% on powerful, easy-to-use EDR – See Offer >
Check out our MITRE ATT&CK Top performance! View Results >
Threat Intelligence
WOODY RAT: A NEW FEATURE-RICH MALWARE SPOTTED IN THE WILD
Posted: August 3, 2022 by Threat Intelligence Team
Last updated: August 4, 2022
The Malwarebytes Threat Intelligence team has discovered a new Remote Access
Trojan that we dubbed Woody Rat used to target Russian entities.
This blog post was authored by Ankur Saini and Hossein Jazi
The Malwarebytes Threat Intelligence team has identified a new Remote Access
Trojan we are calling Woody Rat that has been in the wild for at least one year.
This advanced custom Rat is mainly the work of a threat actor that targets
Russian entities by using lures in archive file format and more recently Office
documents leveraging the Follina vulnerability.
Based on a fake domain registered by the threat actors, we know that they tried
to target a Russian aerospace and defense entity known as OAK.
In this blog post, we will analyze Woody Rat’s distribution methods,
capabilities as well as communication protocol.
DISTRIBUTION METHODS
Based on our knowledge, Woody Rat has been distributed using two different
formats: archive files and Office documents using the Follina vulnerability.
The earliest versions of this Rat was typically archived into a zip file
pretending to be a document specific to a Russian group. When the Follina
vulnerability became known to the world, the threat actor switched to it to
distribute the payload, as identified by @MalwareHunterTeam.
The following diagram shows the overall attack flow used by the threat actor to
drop Woody Rat:
Woody Rat distribution methods
Archive files
In this method, Woody Rat is packaged into an archive file and sent to victims.
We believe that these archive files have been distributed using spear phishing
emails. Here are some examples of these archive files:
* anketa_brozhik.doc.zip: It contains Woody Rat with the same name:
Anketa_Brozhik.doc.exe.
* zayavka.zip: It contains Woody Rat pretending to be an application
(application for participation in the selection.doc.exe).
Follina vulnerability
The threat actor is using a Microsoft Office document (Памятка.docx) that has
weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat.
The used lure is in Russian is called “Information security memo” which provide
security practices for passwords, confidential information, etc.
Document lure
WOODY RAT ANALYSIS
The threat actor has left some debugging information including a pdb path from
which we derived and picked a name for this new Rat:
Debug Information
A lot of CRT functions seem to be statically linked, which leads to IDA
generating a lot of noise and hindering analysis. Before initialization, the
malware effectively suppresses all error reporting by calling SetErrorMode with
0x8007 as parameter.
main function
As we will see later, that malware uses multiple threads and so it allocates a
global object and assigns a mutex to it to make sure no two clashing operations
can take place at the same time. This object enforces that only one thread is
reaching out to the C2 at a given time and that there are no pending requests
before making another request.
DERIVING THE COOKIE
The malware communicates with its C2 using HTTP requests. To uniquely identify
each infected machine, the malware derives a cookie from machine specific
values. The values are taken from the adapter information, computer name and
volume information, and 8 random bytes are appended to this value to avoid any
possible cookie collisions by the malware.
A combination of GetAdaptersInfo, GetComputerNameA and GetVolumeInformationW
functions are used to retrieve the required data to generate the cookie. This
cookie is sent with every HTTP request that is made to the C2.
get_cookie_data function
DATA ENCRYPTION WITH HTTP REQUESTS
To evade network-based monitoring the malware uses a combination of RSA-4096 and
AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is
embedded inside the binary and the malware formulates the RSA public key blob at
runtime using the embedded data and imports it using the BCryptImportKeyPair
function.
The malware derives the key for AES-CBC at runtime by generating 32 random
bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both
the malware and C2 simultaneously use these bytes to generate the AES-CBC key
using BCryptGenerateSymmetricKey which is used in subsequent HTTP requests to
encrypt and decrypt the data. For encryption and decryption the malware uses
BCryptEncrypt and BCryptDecrypt respectively.
RSA Encryption routine
AES Encryption Routine
C2 HTTP ENDPOINT REQUEST
knock – This is the first HTTP request that the malware makes to the C2. The
machine-specific cookie is sent as part of the headers here. This is a POST
request and the data of this request contains 32 random bytes which are used to
derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.
The data received as response for this request is decrypted and it contains the
url path to submit (/submit) the additional machine information which the
malware generates after this operation.
knock request headers
submit – This endpoint request is used to submit information about the infected
machine. The data sent to the C2 is AES-CBC encrypted. Data sent via submit API
includes:
* OS
* Architecture
* Antivirus installed
* Computer Name
* OS Build Version
* .NET information
* PowerShell information
* Python information (Install path, version etc.)
* Storage drives – includes Drive path, Internal name etc.
* Environment Variables
* Network Interfaces
* Administrator privileges
* List of running processes
* Proxy information
* Username
* List of all the User accounts
The malware currently detects 6 AVs through Registry Keys; these AVs being Avast
Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.
ping – The malware makes a ping GET http request to the C2 at regular intervals.
If the C2 responds with “_CRY” then the malware proceeds to send the knock
request again but if the C2 responds with “_ACK” the response contains
additional information about which command should be executed by the malware.
The malware supports a wide variety of commands which are classified into _SET
and _REQ requests as seen while analyzing the malware. We will dive into all
these commands below in the blog.
C2 COMMANDS
The malware uses a specific thread to communicate with the C2 and a different
one to execute the commands received from the C2. To synchronize between both
threads, the malware leverages events and mutex. To dispatch a command it
modifies the state of the event linked to that object. We should note all the
communications involved in these commands are AES encrypted.
Command execution routine
_SET Commands
* PING – This command is used to set the sleep interval between every ping
request to the C2.
* PURG – Unknown command
* EXIT – Exit the command execution thread.
_REQ Commands
* EXEC (Execute)- Executes the command received from the C2 by creating a
cmd.exe process, the malware creates two named pipes and redirects the input
and output to these pipes. The output of the command is read using ReadFile
from the named pipe and then “_DAT” is appended to this data before it is AES
encrypted and sent to the C2.
EXEC command
* UPLD (Upload) – The Upload command is used to remotely upload a file to the
infected machine. The malware makes a GET request to the C2 and receives data
to be written as file.
* INFO (Submit Information) – The INFO command is similar to the “submit”
request above; this command sends the exact information to the C2 as sent by
the “submit” request.
INFO command
* UPEX (Upload and Execute) – This is a combination of UPLD and EXEC command.
The commands first writes a file received from the C2 and then executes that
file.
* DNLD (Download) – The DNLD command allows the C2 to retrieve any file from
the infected machine. The malware encrypts the requested file and sends the
data via a POST request to the C2.
* PROC (Execute Process) – The PROC command is similar to the EXEC command with
slight differences, here the process is directly executed instead of
executing it with cmd.exe as in EXEC command. The command uses the named
pipes in similar fashion as used by the EXEC command.
* UPPR (Upload and Execute Process) – This is a combination of UPLD and PROC
command. The command receives the remote file using the upload command then
executes the file using PROC command.
* SDEL (Delete File) – This is used to delete any file on the infected system.
It also seems to overwrite the first few bytes of the file to be deleted with
random data.
* _DIR (List directory) – This can list all the files and their attributes in a
directory supplied as argument. If no directory is supplied, then it proceeds
to list the current directory. File attributes retrieved by this command are:
* Filename
* Type (Directory, Unknown, File)
* Owner
* Creation time
* Last access time
* Last write time
* Size
* Permissions
* STCK (Command Stack) – This allows the attacker to execute multiple commands
with one request. The malware can receive a STCK command which can have
multiple children commands which are executed in the same order they are
received by the malware.
* SCRN (Screenshot) – This command leverages Windows GDI+ to take the
screenshot of the desktop. The image is then encrypted using AES-CBC and sent
to the C2.
* INJC (Process Injection) – The malware seems to generate a new AES key for
this command. The code to be injected is received from the C2 and decrypted.
To inject the code into the target process it writes it to the remote memory
using WriteProcessMemory and then creates a remote thread using
CreateRemoteThread.
INJC routine
* PSLS (Process List) – Calls NtQuerySystemInformation with
SystemProcessInformation to retrieve an array containing all the running
processes. Information sent about each process to the C2:
* PID
* ParentPID
* Image Name
* Owner
* DMON (Creates Process) – The command seems similar to PROC with the only
difference being the output of the process execution is not sent back to the
C2. It receives the process name from the C2 and executes it using
CreateProcess.
* UPDM (Upload and Create Process) – Allows the C2 and upload a file and then
execute it using DMON command.
SharpExecutor and PowerSession Commands
Interestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named
WoodySharpExecutor and WoodyPowerSession respectively. WoodySharpExecutor
provides the malware ability to run .NET code received from the C2.
WoodyPowerSession on the other hand allows the malware to execute PowerShell
commands and scripts received from the C2.
WoodyPowerSession makes use of pipelines to execute these PS commands. The .NET
dlls are loaded by the malware and commands are executed via the methods present
in these DLLs:
SharpExecutor and PowerSession methods
We will look at the commands utilising these DLLs below:
* DN_B (DotNet Binary) – This command makes use of the RunBinaryStdout method
to execute Assembly code with arguments received from the C2. The code is
received as an array of Base64 strings separated by 0x20 character.
* DN_D (DotNet DLL) – This method provides the attacker a lot more control over
the execution. An attacker can choose whether to send the console output back
to the C2 or not. The method receives an array of Base64 strings consisting
of code, class name, method name and arguments. The DLL loads the code and
finds and executes the method based on other arguments received from the C2.
* PSSC (PowerSession Shell Command) – Allows the malware to receive a Base64
encoded PowerShell command and execute it.
* PSSS (PowerSession Shell Script) – This command allows the malware to load
and execute a Base64 encoded PowerShell script received from the C2.
* PSSM (PowerSession Shell Module) – This command receives an array of Base64
encoded strings, one of which contains the module contents and the other one
contains the module name. These strings are decoded and this module is
imported to the command pipeline and then invoked.
MALWARE CLEANUP
After creating the command threads, the malware deletes itself from disk. It
uses the more commonly known ProcessHollowing technique to do so. It creates a
suspended notepad process and then writes shellcode to delete a file into the
suspended process using NtWriteVirtualMemory. The entry point of the thread is
set by using the NtSetContextThread method and then the thread is resumed. This
leads to the deletion of the malware from disk.
Malware deletes itself
UNKNOWN THREAT ACTOR
This very capable Rat falls into the category of unknown threat actors we track.
Historically, Chinese APTs such as Tonto team as well as North Korea with Konni
have targeted Russia. However, based on what we were able to collect, there
weren’t any solid indicators to attribute this campaign to a specific threat
actor.
Malwarebytes blocks the Follina exploit that is being leveraged in the latest
Woody Rat campaign. We also already detected the binary payloads via our
heuristic malware engines.
IOCS
Woody Rat:
* 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
* 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
* b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
* 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
* 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
* 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
* 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
* 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
* 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d
C2s:
* kurmakata.duckdns[.]org
* microsoft-ru-data[.]ru
* 194.36.189.179
* microsoft-telemetry[.]ru
* oakrussia[.]ru
Follina Doc:
Памятка.docx
ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb
Follina html file:
garmandesar.duckdns[.]org:444/uoqiuwef.html
Woody Rat url:
fcloud.nciinform[.]ru/main.css (edited)
RELATED
Russia’s APT28 uses fear of nuclear war to spread Follina docs in UkraineJune
21, 2022In "Threat Intelligence"
China’s Tonto Team increases espionage activities against RussiaJuly 14, 2022In
"Hacking"
Custom PowerShell RAT targets Germans seeking information about the Ukraine
crisisMay 16, 2022In "Threat Intelligence"
SHARE THIS ARTICLE
--------------------------------------------------------------------------------
COMMENTS
--------------------------------------------------------------------------------
RELATED ARTICLES
Ransomware
NORTH KOREAN APT TARGETS US HEALTHCARE SECTOR WITH MAUI RANSOMWARE
July 10, 2022 - CISA warns of an unusual ransomware.
CONTINUE READINGNo Comments
Cybercrime
IMMIGRATION ORGANISATIONS TARGETED BY APT GROUP EVILNUM
June 30, 2022 - Immigration organisations are being targeted by the APT group
Evilnum, using spear phishing to send malicious Word documents.
CONTINUE READINGNo Comments
Exploits and vulnerabilities
“MULTIPLE ADVERSARIES” EXPLOITING CONFLUENCE VULNERABILITY, WARNS MICROSOFT
June 14, 2022 - Microsoft has warned of APT groups and ransomware authors
exploiting the now patched Confluence vulnerability. We take a look at the
dangers.
CONTINUE READINGNo Comments
A week in security
A WEEK IN SECURITY (MAY 23 – 29)
May 30, 2022 - Posts from the last week on Malwarebytes Labs describing all the
latest news, exploits, scams, and more.
CONTINUE READINGNo Comments
Social engineering
NORTH KOREAN LAZARUS APT GROUP TARGETS BLOCKCHAIN TECH COMPANIES
April 19, 2022 - The Lazarus Group is targeting companies involved in blockchain
technology.
CONTINUE READINGNo Comments
--------------------------------------------------------------------------------
ABOUT THE AUTHOR
Threat Intelligence Team
Contributors
Threat Center
Podcast
Glossary
Scams
Write for Labs
CYBERSECURITY INFO YOU CAN'T DO WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
FOR PERSONAL
FOR BUSINESS
COMPANY
ABOUT US
CAREERS
NEWS AND PRESS
MY ACCOUNT
SIGN IN
CONTACT US
GET SUPPORT
CONTACT SALES
3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland
English
Legal
Privacy
Accessibility
Terms of Service
© 2022 All Rights Reserved
Select your language
* English
* Deutsch
* Español
* Français
* Italiano
* Português (Portugal)
* Português (Brasil)
* Nederlands
* Polski
* Pусский
* 日本語
* Svenska
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.
Loading Comments...
You must be logged in to post a comment.