Keypoints
- WogRAT is distributed via aNotepad-hosted Base64 strings and appears disguised as common utility filenames to prompt user execution.
- The Windows variant is a .NET downloader that compiles and loads an encrypted DLL (WingsOfGod) which performs C2 communication and backdoor actions.
- C2 communication uses HTTP POST for initial beaconing, command polling, and result exfiltration with structured parameters like act, bid, task_id, and Base64-encoded results.
- The Windows RAT supports commands to run arbitrary commands, download files, upload files (via FTP), change wait time, and terminate; uploads use FTP when supported.
- The Linux variant mimics Tiny SHell behavior, renames itself (e.g., “[kblockd]”), collects system info, uses AES-128 with keys derived from HMAC-SHA1 for C2 encryption, and connects to a reverse-shell server to receive commands.
- String obfuscation and Base64 encoding are used to hide the .NET binary in aNotepad; Windows strings are sent as-is, while Linux strings are additionally encrypted before transmission.
- Observed targets and metadata suggest campaigns focused on Asian regions; multiple MD5 hashes, C2 domains, and download URLs were identified by ASEC.
MITRE Techniques
- [T1204] User Execution – The campaign “disguising themselves as legitimate utility tools” to prompt victims to download and run the malware (‘disguising themselves as legitimate utility tools based on filenames upon collection, prompting users into downloading malware’).
- [T1105] Ingress Tool Transfer – Malware components are retrieved from web-hosted notepad entries and download URLs (‘the loaded DLL is responsible for downloading strings from the aNotepad platform, decrypting them using the Base64 algorithm, and then loading them’).
- [T1027] Obfuscated Files or Information – The .NET binary is stored encrypted in Base64 on aNotepad and decoded at runtime (‘you can find the .NET binary encrypted in Base64 saved in the notepad as a string’).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 uses HTTP POST requests to send beacon, check, and result data (‘WogRAT sends data in the following structure via POST requests based on initial connection, command download, and command execution results’).
- [T1041] Exfiltration Over C2 Channel – The RAT sends system info and command results back to the C2 server via structured POST payloads (‘When WogRAT is run for the first time, it collects basic information of the infected system and sends them to the C&C server’).
- [T1048] Exfiltration Over Alternative Protocols (FTP) – File upload commands use the FTP protocol for transferring files to the actor-controlled server (‘FTP protocol is used for file upload’).
- [T1059] Command and Scripting Interpreter – The backdoor supports remote command execution and returns Base64-encoded results (‘supports commands such as executing commands, sending results, downloading files, and uploading these files’ and ‘Sending command execution results … result=[execution results of Base64 encrypted command]’).
- [T1036.005] Masquerading – The Linux variant changes its process name to mimic legitimate processes (e.g., “[kblockd]”) to avoid detection (‘it changes its name as a legitimate process … changed all of their names into “[kblockd]”’).
Indicators of Compromise
- [File Names] Disguised downloaders used as lures – flashsetup_LL3gjJ7.exe, WindowsApp.exe, and other utility-like names.
- [MD5 Hashes] Identified sample hashes – 5769d2f0209708b4df05aec89e841f31 (WindowsTool.exe), 290789ea9d99813a07294ac848f808c9 (WingsOfGod.dll), and 12 more hashes.
- [C2 Domains/URLs] Command-and-control endpoints – w.linuxwork[.]net:443, linuxwork[.]net:80, and other C2 URLs (e.g., newujs and t0rguard hosts).
- [Download URLs] Host locations for payloads or Tiny SHell – hxxp://newujs[.]com/dddddd_oo, hxxps://jp.anotepad[.]com/note/read/b896abi9, and additional download URLs.
ASEC detailed the technical flow of WogRAT: Windows infection samples are .NET droppers that contain encrypted source code which is compiled at runtime; this loader fetches Base64-encoded .NET binaries stored in aNotepad entries, decodes them, and loads a DLL (WingsOfGod) that performs beaconing and backdoor functionality. The Windows implant beacons the C2 using POST requests with structured parameters (act, bid, name) and polls for commands (act=chk), while returning execution results Base64-encoded (act=ret). Supported remote instructions include running shell commands, downloading files, uploading files (FTP-based upload commands when enabled), changing the polling interval, and termination.
The Linux builds share command/response structures and reuse Tiny SHell routines for reverse-shell behavior: on launch they rename to a benign-looking process (e.g., “[kblockd]”), collect host metadata, and beacon the actor. Unlike Windows, the Linux variant retrieves an address for a reverse-shell server rather than direct commands, then connects to that Tiny SHell server to receive tasks. C2 communications for both variants incorporate obfuscation and encryption practices—Windows strings are Base64-encoded in the notepad entries, while Linux payloads apply an additional encryption layer; both WogRAT and Tiny SHell use AES-128 with keys derived from HMAC-SHA1 for C2 encryption but use distinct password strings.
The runtime and operational behaviors to watch for include: initial network POSTs to the listed C2 domains, Base64 blobs hosted on aNotepad or similar paste platforms, dynamic compilation/loading of .NET assemblies, FTP upload commands or unexpected FTP sessions, reverse-shell connections to attacker-controlled addresses, and process name masquerading on Linux. The combination of use of paste-hosted Base64 payloads, runtime compilation, Tiny SHell code reuse, and structured POST-based C2 polling defines WogRAT’s technical profile.
Read more: https://asec.ahnlab.com/en/62446/