With the recently found malware, hackers have targeted Russian enterprises which was a government-controlled defence corporation, giving them remote access to compromised computers and the ability to manage and steal data from them. This Remote Access Trojan was detected by the Malwarebytes Threat Intelligence team as Woody RAT, and it has been out in the wild for at least a year.

According to claims, the superior customized backdoor can be distributed through either one of two methods: archive records data or Microsoft Office documents that take use of the now patched “Follina vulnerability” (CVE-2022-30190) in Windows.

The Woody RAT implant, like other implants designed for espionage-focused operations, has a number of features that enable the threat actor to remotely hijack and steal sensitive data from the infected systems.

Ankur Saini and Hossein Jazi, researchers from Malwarebytes, noted in a paper published on Wednesday that “the first iterations of this RAT were occasionally stored directly inside a ZIP file posing as a document specific to a Russian group.”

 

Follina Vulnerability

This new Follina zero-day opens the door to a new critical attack vector leveraging Microsoft Office programs as it works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

The affected versions of Microsoft Office are Office 2013, Office 2016, Office 2019, and Office 2021, as well as Professional Plus editions.

According to Kevin Beaumont, a cyber security researcher who named the vulnerability “Follina” because of the vulnerability references “0438” which is present at the end of the malicious Word file is the area code of the municipality of Follina in Treviso, Italy. The Word document uses the remote template feature to retrieve an HTML file from a remote server. It uses the ms-msdt MS Protocol URI scheme to load some code and execute PowerShell.

Woody RAT Malware

The Woody RAT allows for remote access to and control of infected devices. To further explain some of these features, Woody is capable of extracting a wide range of system data, including the name of the computer, the operating system version and architecture, PowerShell information, user accounts and privileges, network information, processes that are currently running, installed anti-virus software, etc.

Additionally, Woody has the capacity to upload and execute files that have been infiltrated. This means that more trojans, ransomware, and other malware can be downloaded and installed via this dangerous programme. The Woody RAT poses additional risk due to its potential to start chain infections.

The malicious users changed to using Follina to distribute the payload once the flaw was made public. In one case, the hacker gang used information obtained from a phoney website formed for this reason to attempt to attack a Russian aerospace and defence organization known as OAK.

 

 

 Woody RAT Malware distribution method

On June 7, 2022, researchers from the MalwareHunterTeam revealed that attacks utilizing the Windows vulnerability as part of this campaign used a document called “Пaмятка.docx” (which translates to Memo.docx) to send a CSS payload carrying the trojan.

The document ostensibly offers best security procedures for passwords and personal information, among other things, but serves as a ruse to open the backdoor. Along with the ability to encrypt its interactions with a remote server, Woody RAT also has the ability to launch further malware, destroy data, enumerate directories, take screenshots, and gather a list of running processes.

Two .NET-based libraries with the names WoodySharpExecutor and WoodyPowerSession are also included in the virus and can be used to execute.NET code and PowerShell commands that have been downloaded from the server, respectively.

The malware then removes itself from the disc after generating the command threads. It accomplishes this via the more well-known Process Hollowing approach. It establishes a suspended notepad process and uses NtWriteVirtualMemory to write shell code to delete a file into the suspended process. The NtSetContextThread function sets the thread’s entry point before the thread is resumed. As a result, the malware is removed from the disc.

Remediation Actions

• It is advised to avoid clicking on any links or attachments in suspicious emails or messages as doing so could infect your computer. Using the most recent Microsoft Office versions is also advised, especially those that were launched after 2010, as they feature the “Protected View” option, which disables the automatic execution of macro commands.
• Furthermore, only genuine and authorized channels may be used for downloading.
• It’s essential to install and keep up with an effective antivirus programme. Regular system scans must be done using this software, and any faults and threats found must be eliminated.