SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors

By Talos' Warren Mercer, Paul Rascagneres and Vitor Ventura

April 20, 2020

Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling "PoetRAT." At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data.

The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers.

In addition to the malware campaigns, the attacker performed phishing a campaign on the same infrastructure. This phishing website mimics the webmail of the Azerbaijan Government webmail infrastructure.

What's new?


This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps.

How did it work?

The initial foothold is established by sending the malicious Word document. It's not clear at this time how the adversary distributes the document. However, given that it is available for download from a basic URL, it wouldn't be surprising if the victims were being tricked into downloading it by an email or social media network message.

So what?


This threat actor is highly motivated and focused on the victims it targets. They target the public and the private sectors as well as SCADA systems. The quantity and diversification of tools available in its toolkit denote a carefully planned attack.

 

MALWARE CAMPAIGNS


We identified multiple campaigns we believe target the Azerbaijan public and private sectors, especially the energy sector. During our investigation, Talos identified the interest of this threat actor for SCADA systems mainly wind turbines.
 

Campaign No. 1: February 2020

Decoy document

Once opened in Microsoft Office, the document is blurred. This can't be fixed the document is composed of blurred pictures with no real text. The logo seems to be the logo of the DRDO, the Defense R&G Organisation of the Ministry of Defence of India. We have no evidence that India is targeted by this actor.
 
DRDO Logo

The file was located on hxxp://govaz[.]herokuapp[.]com/content/section_policies.docx

 

Campaign No. 2: April 2020 C19.docx

Document image

The file, in this case, was named "C19.docx," probably a reference to the COVID-19 pandemic, but without readable content.
 

Campaign #3: April 2020 Coronavirus theme


The decoy document evolved to look more realistic. The initial stage is a Word document written in Russian posing as an Azerbaijan government document.

 
Document image

 
Document image

Both original file names are "Azerbaijan_special[.]doc," which is a dropper that can be found at hxxps://gov-az[.]herokuapp[.]com/content/Azerbaijan_special[.]doc.

 

PHISHING CAMPAIGN


On the same server, we identified a phishing campaign against the webmail of the Azerbaijan government:

 

This phishing website was available on "hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=" during the malware campaigns. The purpose was obviously to steal credentials.

 

MALWARE


We will present the infection vector of the most recent document. The other documents are not exactly the same (using DDE) but the final goal is the same.
 

Dropper


The Word document is a dropper. As happens so many times, it contains a Visual Basic script that will execute the malicious activities. This one, however, appears to be more innovative. It starts by loading its own document into memory. Afterward, it copies 7,074,638 bytes from the end of the file and writes the remaining bytes back to the disk.
RAT extraction

The file written to the disk is actually a ZIP file. The actors appended the ZIP at the end of the word document "smile.zip."

This ZIP file contains a Python interpreter and Python script that is actually the RAT. The Word macro will unzip and execute the main script called "launcher.py." The launcher script is responsible for checking the environment that the doc is currently being opened in. It assumes that all sandboxes will have hard drives smaller than 62GB. If it's in a sandbox environment, it will overwrite the malware scripts with the contents of the file "License.txt" and exit, thus deleting itself.
Anti-sandbox code

If it determines that it is not running in a sandbox environment, it will generate a unique ID, that is then replaced directly with the Python source code of the main scripts before executing it.

RAT


The RAT is composed of two main scripts that need to work together. One, called "frown.py," is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. With a successful connection, it will send the word "almond" The server should reply either with "who" or "ice." The RAT will answer the "who" command with a string that contains the username, computer name and the previously generated UUID. The "ice" command simply makes the RAT finish the connection procedure.

The other script is called "smile.py." This is responsible for the interpretation and execution of the C2 commands. The available commands are:
 
  • ls - listing files
  • cd - change current directory
  • sysinfo - get information about the system
  • download - upload file into the C2 using ftp
  • upload - download from C2 file into the victim from
  • shot - takes a screenshot and uploads it to the C2 using ftp
  • cp - copies files
  • mv - moves files
  • link - creates links between files
  • register - makes changes in the registry
  • hide - hides a file or unhides it depending on its current state
  • compress - compresses files using zip function
  • jobs - performs actions, like kill, clear, terminate on processes. By default will list all processes.
  • <os command to be executed> - this will be executed if none of the above are executed.


Some features need additional credentials (shot, upload, download). These credentials are not hardcoded on the sample. For each FTP usage, the credentials are provided by the C2 server during the request.

There is a normal usage of the Windows registry to provide a method of persistence for this RAT by adding in a registry key in the RUN hive which will execute the Python script "launcher.py." During our investigation, we witnessed several registry modifications that resulted in the malware skipping the sandbox evasion checks and carrying out the execution by using a "police" keyword.

"C:\Users\Public\Python37\pythonw.exe" "C:\Users\Public\Python37\launcher.py" "police"s\0

In launcher.py, the police keyword will skip the sandbox checks and initialization process. This could be used for hosts already infected to ensure they do not re-check this environment.
Start routine

The communication between the scripts is done via a file called "Abibliophobia23" Commands and results are written into the file using a custom encryption scheme. The "23" at the end of the file is different depending on the variant of the RAT.


It uses a char substitution cipher where the new char code is obtained after performing mathematical operations on the char code to be encrypted using the key parameters.

 

POST-EXPLOITATION TOOLS


During the campaign, the operator deployed additional tools on the targeted systems. In this section, we will describe a few of these tools.

Dog
Quickly after the initial compromise, the operator deploys a tool named "dog.exe." This malware is written in .NET and its purpose is to monitor hard drive paths and to exfiltrate the information via an email account or an FTP, depending on the configuration.

The configuration file is named dconf.json. It is pushed by the operator with the binary.

  • FileSize defines the max size of the file to be exfiltrated (50MB in our example).
  • The working directory is defined by the concat of BasePath and MyPat ("C:/ProgramData/ TARGET_Dog/" in our example).
  • UploadType is the exfiltration method. It can be "ftp" or "email."
  • FtpUsername, FtpPassword and FtpUri define the FTP parameters for exfiltration.
  • SmtpHost, EmailUser and EmailPass define the email parameters for exfiltration.
  • Paths define the path to monitor on the compromised system.


The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the "Paths" variable of the configuration file.
 
Filesystem monitoring routine

Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration.
 

Bewmac


The attacker has a short Python script to record the victim's webcam.

 
Camera image capturing routine.

The script uses the OpenCV library, taking a sequence of 10 captures each time it is executed. The images are stored on the filesystem and there is no automatic exfiltration.
 

Additional tools


During our investigation, we identified a couple of additional tools mainly in Python and compiled for Windows:

 
  • Klog.exe: A keylogger using an output file called "System32.Log."

 
Keylogger special key map

 
  • "Browdec.exe": A browser credential-stealer
  • "voStro.exe": A compiled pypykatz that'ss a full Python implementation of Mimikatz, a well-known credential-stealer.
  • "Tre.py": A script used to create the file with the files/directories tree.
  • WinPwnage: An open-source framework of privilege escalation.
  • Nmap: An open-source pentesting and network-scanning tool.


 

CONCLUSION


During this investigation, we observed an actor using multiple tools and methodologies to carry out their full attack chain. Talos identified multiple lure documents during this campaign which all made use of Visual Basic macros and then Python to carry out their attacks on victims. The adversaries' targets are very specific and appear to be mostly Azerbaijan organizations in the public and private sectors, specifically ICS and SCADA systems in the energy industry.

The actor monitored specific directories, signaling they wanted to exfiltrate certain information on the victims. The attacker wanted to gain a full picture of the victim by using a keylogger, browser credential stealers and Mimikatz and pypykatz for further credential harvesting. Based on our research, the adversaries may have wanted to obtain important credentials from officials in Azerbaijan's government. The malware attempts to obtain pictures of the victim and utilizes a mail platform targeting the Azerbaijan government. The attacker wanted not only specific information obtained from the victims but also a full cache of information relating to their victim. They would have been able to gain potentially very important credentials and information using these techniques given their victimology. By using Python and other Python-based tools during their campaign, the actor may have avoided detection by traditional tools that have whitelisted Python and Python execution techniques.

Terms of Use | Copyright 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement