New Woody RAT malware targets Russian entities

Russian organizations in the eyesight of a new RAT

Woody RATNew RAT attempted to infiltrate key Russian organizations

A new RAT (Remote Access Trojan) has been discovered by security researchers called Woody RAT. It's unknown who are the creators of this malicious software that has been targeting Russian organizations. The mysterious group attempted to strike a Russian aerospace and defense entity known as OAK.[1]

The Woody RAT enables remote control over infected devices. It can perform a broad range of commands and functions – extract a wide variety of system data, like the operating system version and architecture, computer name, PowerShell information, user accounts and privileges, network data, and running processes.

It can also gather personal information, like names, types, formats, permissions, etc. The RAT can download files and even take screenshots. The Woody RAT also has the ability to upload files and launch them. So cybercriminals can install Trojans, ransomware, and other malware.

Microsoft vulnerability used to deliver the malicious program

It is believed that the Woody RAT was delivered using two methods: archive files or Microsoft Office documents leveraging the “Follina” support diagnostic tool vulnerability (CVE-2022-30190)[2] in Windows which is now patched. Malwarebytes researchers Ankur Saini and Hossein Jazi said[3] in a Wednesday report:

The earliest versions of this RAT were typically archived into a ZIP file pretending to be a document specific to a Russian group

The unknown threat actor used a Microsoft Office document (Памятка.docx) to drop Woody Rat. Translated from Russian, the document's name means “Information security memo” which provides security practices for passwords, confidential information, and so on. It is very likely that the malicious file was distributed as either an attachment or download link in spam emails.

Cyber attacks on Russia increase amid the war in Ukraine

On May 20 of 2022, President Vladimir Putin acknowledged that the number of cyber attacks on Russia had increased several times over and that Russia must bolster its cyber defenses by reducing the use of foreign software and hardware. Since Russia invaded Ukraine, websites of many state-owned companies and news websites have suffered from hacking attempts. The President said:

Serious attacks have been launched against the official sites of government agencies. Attempts to illegally penetrate the corporate networks of leading Russian companies are much more frequent as well

In a meeting with the Security Council, Putin said that Russia needs to improve information security in key sectors and switch to using domestic technology and equipment. However, it is unknown how these plans will play out with the sanctions that the west imposed. A number of Western suppliers have stopped technical support of their equipment in Russia.[4] So it seems that there is no other way but to develop their own technology. How long will it take, and is it even possible is another question that nobody knows the answer to.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References