Malwarebytes recently reported on Woody RAT, a RAT being used to target entities in Russia.
- Woody RAT is a remote access trojan targeting entities in Russia.
- It is delivered via archive files or weaponized Office documents leveraging the Follina exploit.
- Woody RAT uses HTTP requests to communicate with the C2 and encrypts C2 communications.
Woody RAT is a newly discovered remote access trojan. According to Malwarebytes, it has been active in the wild for at least one year. Woody RAT is being delivered via phishing lures in archive file format and Office documents leveraging the Follina vulnerability. The threat actors behind Woody RAT targeted Obyedinyonnaya Aviastroitelnaya Korporatsiya (OAK), an aerospace and defense entity in Russia.
Woody RAT is disguised as an executable or application when delivered via archive files. Woody RAT is also delivered via Microsoft Office documents leveraging the Follina vulnerability, with lures pertaining to information security. Malwarebytes analysts noted Woody RAT employs anti-reversing techniques, as several of the CRT functions are statically linked. Prior to initialization, Woody RAT suppresses error reporting by calling SetErrorMode with the parameter set to 0x8007. Woody RAT uses multiple threads, so it allocates a global object and assigns a mutex to it to ensure no clashing operations can take place at the same time. This also ensures only one thread is contacting the C2 at a given time.
Woody RAT uses HTTP requests to communicate with the C2. These are described in more detail below. It also uses machine-specific values to derive a cookie to identify each victim machine. These values include adapter information, computer name and volume, and 8 random bytes appended to the value. To evade detection by network-based monitoring, Woody RAT uses a combination RSA-4096 and AES-CBC to encrypt C2 communications. After creating command threads, Woody RAT uses Process Hollowing to delete itself from the disk.
C2 HTTP Endpoint Requests
Woody RAT leverages multiple C2 HTTP endpoint requests, including the following:
- Knock - Woody RAT uses this as the first HTTP request sent to the C2. Woody RAT sends the machine-specific cookie described above. Data received as a response contains the URL path to submit additional information from the victim machine.
- Submit - Used to submit information about the victim machine. Data sent includes the OS, architecture, antivirus information, computer name, OS version, .NET information, PowerShell information, Python version and install path, storage drive information, environment variables, network interfaces, administrator privileges, running processes, proxy information, username, and a list of user accounts. Woody RAT currently detects six antivirus products - Avast Software, Doctor Web, Kaspersky, AVG, ESET, and Sophos.
- Ping - Woody RAT regularly pings the C2 with a GET http request and awaits the C2 response to determine which commands should be executed. These commands are listed in the next section.
Woody RAT uses one thread to communicate with the C2 and another to execute commands. Woody RAT leverages events and mutex to synchronize between both threads.
_SET Commands include the following:
- PING - sets a sleep interval between every ping request
- PURG - the purpose of this command is unknown
- EXIT - exit command execution thread
_REQ Commands include the following:
- EXEC - executes the command received from the C2
- UPLD - uploads a file to the victim system
- INFO - submits information to the C2
- UPEX - uploads and executes a file received from the C2
- DNLD - lets the C2 download files from the victim system
- PROC - directly executes a process without using cmd.exe
- UPPR - uploads and executes a command
- SDEL - deletes files on the victim system
- _DIR - lists files and attributes in a directory
- STCK - allows the threat actor to execute a command stack of multiple commands with one request
- SCRN - takes a screenshot of the desktop
- INJC - process injection
- PSLS - retrieves an array of all running processes
- DMON - creates a process
- UPDM - allows the C2 to upload a process and then executes it using DMON
Woody RAT has two embedded .DLL files. WoodySharpExecutor allows the malware to run .NET code received from the C2. WoodyPowerSession allows the malware to execute PowerShell commands and scripts received from the C2.
Commands leveraging these .DLL files include the following:
- DN_B - uses the RunBinaryStdout method to execute Assembly code with arguments received from the C2
- DN_D - gives the threat actor more control over execution
- PSSC - allows Woody RAT to receive and execute Base64 encoded PowerShell commands
- PSSS - allows Woody RAT to load and execute Base64 encoded PowerShell commands from the C2
- PSSM - allows Woody RAT to receive an array of Base64 encoded strings, including the module name and contents
PolySwarm has multiple samples of Woody RAT.
You can use the following CLI command to search for all Woody RAT samples in our portal:
$ polyswarm link list -f WoodyRat
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports