PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors
Warren Mercer, Paul Rascagneres and Vitor
Cisco Talos has discovered a new malware campaign based on a
previously unknown family we're calling "PoetRAT." At this time, we
do not believe this attack is associated with an already known
threat actor. Our research shows the malware was distributed using
URLs that mimic some Azerbaijan government domains, thus we believe
the adversaries in this case want to target citizens of the country
Azerbaijan, including private companies in the SCADA sector like
wind turbine systems. The droppers are Microsoft Word documents that
deploy a Python-based remote access trojan (RAT). We named this
malware PoetRAT due to the various references to William
Shakespeare, an English poet and playwright. The RAT has all the
standard features of this kind of malware, providing full control of
the compromised system to the operation. For exfiltration, it uses
FTP, which denotes an intention to transfer large amounts of data.
This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps.
How did it work?
The initial foothold is established by sending the malicious Word document. It's not clear at this time how the adversary distributes the document. However, given that it is available for download from a basic URL, it wouldn't be surprising if the victims were being tricked into downloading it by an email or social media network message.
This threat actor is highly motivated and focused on the victims it targets. They target the public and the private sectors as well as SCADA systems. The quantity and diversification of tools available in its toolkit denote a carefully planned attack.
We identified multiple campaigns we believe target the Azerbaijan public and private sectors, especially the energy sector. During our investigation, Talos identified the interest of this threat actor for SCADA systems — mainly wind turbines.
Campaign No. 1: February 2020
Once opened in Microsoft Office, the document is blurred. This can't be fixed — the document is composed of blurred pictures with no real text. The logo seems to be the logo of the DRDO, the Defense R&G Organisation of the Ministry of Defence of India. We have no evidence that India is targeted by this actor.
The file was located on hxxp://govaz[.]herokuapp[.]com/content/section_policies.docx
Campaign No. 2: April 2020 — C19.docx
The file, in this case, was named "C19.docx," probably a reference to the COVID-19 pandemic, but without readable content.
Campaign #3: April 2020 — Coronavirus theme
The decoy document evolved to look more realistic. The initial stage is a Word document written in Russian posing as an Azerbaijan government document.
Both original file names are "Azerbaijan_special[.]doc," which is a dropper that can be found at hxxps://gov-az[.]herokuapp[.]com/content/Azerbaijan_special[.]doc.
On the same server, we identified a phishing campaign against the webmail of the Azerbaijan government:
This phishing website was available on "hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=" during the malware campaigns. The purpose was obviously to steal credentials.
We will present the infection vector of the most recent document. The other documents are not exactly the same (using DDE) but the final goal is the same.
The Word document is a dropper. As happens so many times, it contains a Visual Basic script that will execute the malicious activities. This one, however, appears to be more innovative. It starts by loading its own document into memory. Afterward, it copies 7,074,638 bytes from the end of the file and writes the remaining bytes back to the disk.
The file written to the disk is actually a ZIP file. The actors appended the ZIP at the end of the word document "smile.zip."
This ZIP file contains a Python interpreter and Python script that is actually the RAT. The Word macro will unzip and execute the main script called "launcher.py." The launcher script is responsible for checking the environment that the doc is currently being opened in. It assumes that all sandboxes will have hard drives smaller than 62GB. If it's in a sandbox environment, it will overwrite the malware scripts with the contents of the file "License.txt" and exit, thus deleting itself.
If it determines that it is not running in a sandbox environment, it will generate a unique ID, that is then replaced directly with the Python source code of the main scripts before executing it.
The RAT is composed of two main scripts that need to work together. One, called "frown.py," is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. With a successful connection, it will send the word "almond" The server should reply either with "who" or "ice." The RAT will answer the "who" command with a string that contains the username, computer name and the previously generated UUID. The "ice" command simply makes the RAT finish the connection procedure.
The other script is called "smile.py." This is responsible for the interpretation and execution of the C2 commands. The available commands are:
Some features need additional credentials (shot, upload, download). These credentials are not hardcoded on the sample. For each FTP usage, the credentials are provided by the C2 server during the request.
There is a normal usage of the Windows registry to provide a method of persistence for this RAT by adding in a registry key in the RUN hive which will execute the Python script "launcher.py." During our investigation, we witnessed several registry modifications that resulted in the malware skipping the sandbox evasion checks and carrying out the execution by using a "police" keyword.
"C:\Users\Public\Python37\pythonw.exe" "C:\Users\Public\Python37\launcher.py" "police"s\0
In launcher.py, the police keyword will skip the sandbox checks and initialization process. This could be used for hosts already infected to ensure they do not re-check this environment.
The communication between the scripts is done via a file called "Abibliophobia23" Commands and results are written into the file using a custom encryption scheme. The "23" at the end of the file is different depending on the variant of the RAT.
It uses a char substitution cipher where the new char code is obtained after performing mathematical operations on the char code to be encrypted using the key parameters.
During the campaign, the operator deployed additional tools on the targeted systems. In this section, we will describe a few of these tools.