A new malware campaign has been discovered that uses coronavirus-themed decoys to hit Azerbaijan’s government and energy sectors with remote access trojans (RATs) capable of extracting sensitive documents, compressing keys, passwords and even webcam images. he does.Targeted attacks use Microsoft Word documents as distributors to deploy a Python-based RAT called PoetRAT.Cisco Thales stated that this RAT has all the standard features of this type of malware and takes full control of the affected system.According to the researchers, this malware specifically targets monitoring control and data collection systems in the energy industry, such as wind turbine systems.The development is the latest in a growing number of cyberattacks that are exploiting concerns about the coronavirus epidemic as bait to install malware, steal information and make profits.The scan works by adding PoetRAT to a Word document, which, when opened, runs a macro that extracts the malware and then executes it.The exact distribution mechanism of the Word document is still unclear, but given that the documents can be downloaded from a simple URL, researchers suspect that victims are tricked into downloading the RAT via malicious URLs or phishing emails.Cisco Thales said it detected three waves of these attacks since the beginning of February, some of which used decoy documents purporting to be from Azerbaijani government agencies and India’s Defense Research and Development Organization (DRDO), or in the names The files themselves refer to COVID-19 without having any actual content about it.Regardless of the attack vector, the Visual Basic Script macro in the documentation writes the malware into memory as a zip file called smile.zip, which contains a Python interpreter and the RAT itself.The Python script also checks the environment in which the document is opened to ensure that it is not in the same sandbox. If it detects a sanbox environment, it will remove itself from the system.This RAT comes with two scripts: frown.py, which is responsible for communicating with a remote command and control server with a unique device ID, and smile.py, which handles the execution of C2 commands on the affected device. .These commands allow an attacker to load sensitive files, take screenshots, terminate system processes, record keystrokes, and steal passwords stored in browsers.In addition, the attacker behind this campaign deployed other exploit tools, including dog.exe, a .NET-based malware that monitors memory paths and automatically transfers information via an email account or an FTP. Another tool called Bewmac enables the attacker to take control of the victim’s webcam.The malware achieves persistence by creating registry keys to run a Python script and make registry modifications to bypass the sandbox escape check mechanism and prevent the same environment from being checked again.Cisco Thales researchers concluded that the threat actor followed specific paths that indicated it intended to extract specific information about victims. The attacker wanted not only the specific information obtained from the victims, but the complete set of information about their victims. By using Python and other Python-based tools in this scan, this threat actor is likely to avoid detection by traditional tools that whitelist Python and Python implementations.
A campaign in the form of COVID-19 targets SCADA departments with data-stealing malware
