[German]Malwarebytes' threat intelligence team has identified a new, technically advanced remote access Trojan. Dubbed "Woody Rat," the Trojan has been in circulation for about a year and targets Russian organizations. Among others, Obyedinyonnaya Aviastroitelnaya Korporatsiya (OAK), an aerospace and defense company majority-owned by the Russian state, has already been targeted by Woody Rat. The Trojan exploits the so-called Follina exploit (CVE-2022-30190), a zero-day vulnerability that can be used to abuse the Microsoft Support Diagnostics utility to download malicious Microsoft Word or Excel documents from the Web.
Advertising
In a message I received from Malwarebytes, its security researchers wrote that Woody Rat was initially spread via archive file formats (typically ZIP files). After the Follina exploit became known (see, e.g., Windows Vulnerability Follina (CVE-2022-30190): New findings, new risks (June 9, 2022)), attackers switched to this exploit. In doing so, they used an Office document named Памятка.docx ("Information Security Memo") to spread the Trojan. The document contains supposedly relevant information and best practices on password security and data protection.z.
Woody Rat trojan, source: Malwarebytes
According to Malwarebytes, the identity of the hackers responsible for Woody Rat cannot yet be determined with certainty. But similar threats have already been tracked by Malwarebytes. In the past, Chinese APTs (Advanced Persistent Threats) such as the Tonto team or the North Korean cyber group Konni had targeted Russia. However, based on Malwarebytes' analysis, there are no clear indicators that could assign Woody Rat to a specific actor. More about how Woody Rat works and how it spreads can be read in this report from Malwarebytes.
