PoetRAT is an emerging malware that targets the energy and government sector of Azerbaijan — especially wind turbine facilities.

There is no one specific way that PoetRAT spreads. However, research has shown that the malware is distributed via URL, which indicates that users are most likely tricked by either emails or social media messages to download the malware.

PoetRAT way of attack

PoetRAT spreads via emails or social media messages containing malicious URLs. This is not to say that other methods are not being used as well.

Talos researchers have observed three phishing emails claiming to be from the Azerbaijan government and the Ministry of Defense of India, which contained a malicious Microsoft Word document named “C19.docx.” Attempts like these play on the particularly sensitive issue of COVID-19 and take advantage of the psychological condition that many are in because of this pandemic.

Once the malicious Word document is opened or URL is clicked, a dropper enables malicious macros which deploy PoetRAT. To help evade detection and other defensive measures, it writes itself to disk in the form of an archive instead of being loaded as an executable.

PoetRAT is written in Python and has two main scripts that are the crux of the malware itself. The first script is “smile.py”, which executes commands including copying, moving and archiving files and content, taking screenshots, information exfiltration, killing processes and uploading of files from the target computer. The second script is “frown.py”, which allows for encrypted communication with the PoetRAT C2 (command-and-control) server.

Researchers have observed an array of different tools typically placed during a PoetRAT campaign:

Klog.exe: Keylogger capabilities
Dog: This .NET malware module can be used to monitor hard drive paths on an infected computers and has data exfiltration capabilities through FTP or email
Browdec.exe: Browser credential stealer
Bewmac: Webcam session recording capabilities
WinPwnage: Used for privilege escalation
voStro.exe: Credential stealer
Nmap: Used for network scanning
Tre.py: A script written in Python used to create new files and directors
Mimikatz: Credential harvesting
Pypykatz: Credential harvesting

PoetRAT is capable of is maintaining persistence via registry key manipulation, as it can modify registry entries in order to get around sandbox evasion checks.

PoetRAT has only been involved with cyberattacks in Azerbaijan thus far. This should be of particular importance to those in the energy sector, particularly wind turbine energy production facilities. Update security controls use proper email security product.

North Korea or Russia is Lazarus belongs

North Korean state-sponsored cybercriminals have been time and again accused of buying access to pre-hacked servers from other threat actors. However, lately, connections have emerged between the North Korea-based Lazarus APT group and some of the prominent Russian-speaking cybercriminal groups.

TrickBot, Dridex, and TA505 are threat groups linked to various Russian-speaking threat actors who sell access to victims’ systems on the dark web. Lazarus has been found to be infrequently using TrickBot’s codes in its attacks.

TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.

TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.

According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
TA505 and Lazarus IOCs were found together in bank networks.

North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”

Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.

TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.

It is very likely that threat actors with access to TrickBot infections are in touch with North Korean state-sponsored hackers. Knowing that there is a link between different threat actors provides defenders an opportunity to identify a potential second problem when the first one occurs.

Pyvil ! Rat…Evilnum Producy

The “Evilnum” group of actors has been pretty active during the past two years, and it appears that they are now going through major shifts in their toolset.

Evilnum is interested in banks and financial organizations in general, which hasn’t changed. The group’s main goal is to spy its targets and try to exfiltrate sensitive data like VPN passwords, browser cookies, email credentials, and classified documents.

The infection chain is now differentiating from what used to be typical in the past, and the actors are now using a single LNK file that poses as a utility bill or driver’s license PDF. This file activates a JavaScript dropper, which sets up a scheduled task to retrieve the malicious binaries.

Source: Cybereason

The new payload is the PyVil RAT written in Python, which is obfuscated with extra layers to make its decompilation

The Nocturnus researchers used memory dumps to do it anyway, so they report the following functionality in the PyVil’s code:

  • Keylogger
  • Running cmd commands
  • Taking screenshots
  • Downloading more Python scripts for additional functionality
  • Dropping and uploading executables
  • Opening an SSH shell
  • Collecting information such as what Anti-virus products are installed, which USB devices connected, or the Chrome version
deobfuscated code
Source: Cybereason

When the RAT needs to phone back home to the C2, it does so via POST HTTP requests that feature RC4 encryption applied thanks to a hardcoded base64 key. In several recorded cases, PyVil RAT received a new Python module from the C2, which was basically a custom version of the LaZagne credential stealer.

Source: Cybereason

Finally, the infrastructure that supports the Evilnum operations seems to have grown significantly over the past couple of weeks, and so has the number of domain IP addresses associated with the group. This is indicative of the group’s goal to continue its malicious operations and actually up their game by deploying new tools and making sure that they are still able to remain undetected.