PoetRAT is an emerging malware that targets the energy and government sector of Azerbaijan — especially wind turbine facilities.
There is no one specific way that PoetRAT spreads. However, research has shown that the malware is distributed via URL, which indicates that users are most likely tricked by either emails or social media messages to download the malware.
PoetRAT way of attack
PoetRAT spreads via emails or social media messages containing malicious URLs. This is not to say that other methods are not being used as well.
Talos researchers have observed three phishing emails claiming to be from the Azerbaijan government and the Ministry of Defense of India, which contained a malicious Microsoft Word document named “C19.docx.” Attempts like these play on the particularly sensitive issue of COVID-19 and take advantage of the psychological condition that many are in because of this pandemic.
Once the malicious Word document is opened or URL is clicked, a dropper enables malicious macros which deploy PoetRAT. To help evade detection and other defensive measures, it writes itself to disk in the form of an archive instead of being loaded as an executable.
PoetRAT is written in Python and has two main scripts that are the crux of the malware itself. The first script is “smile.py”, which executes commands including copying, moving and archiving files and content, taking screenshots, information exfiltration, killing processes and uploading of files from the target computer. The second script is “frown.py”, which allows for encrypted communication with the PoetRAT C2 (command-and-control) server.
Researchers have observed an array of different tools typically placed during a PoetRAT campaign:
Klog.exe: Keylogger capabilities
Dog: This .NET malware module can be used to monitor hard drive paths on an infected computers and has data exfiltration capabilities through FTP or email
Browdec.exe: Browser credential stealer
Bewmac: Webcam session recording capabilities
WinPwnage: Used for privilege escalation
voStro.exe: Credential stealer
Nmap: Used for network scanning
Tre.py: A script written in Python used to create new files and directors
Mimikatz: Credential harvesting
Pypykatz: Credential harvesting
PoetRAT is capable of is maintaining persistence via registry key manipulation, as it can modify registry entries in order to get around sandbox evasion checks.
PoetRAT has only been involved with cyberattacks in Azerbaijan thus far. This should be of particular importance to those in the energy sector, particularly wind turbine energy production facilities. Update security controls use proper email security product.