{"id":26089,"date":"2022-08-05T18:10:21","date_gmt":"2022-08-05T16:10:21","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=26089"},"modified":"2022-08-05T18:10:21","modified_gmt":"2022-08-05T16:10:21","slug":"remote-access-trojaner-woody-rat-nutze-follina-exploits-fr-angriffe-auf-russische-organisationen","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/08\/05\/remote-access-trojaner-woody-rat-nutze-follina-exploits-fr-angriffe-auf-russische-organisationen\/","title":{"rendered":"Remote access Trojan &quot;Woody Rat&quot; uses Follina exploits to attack Russian organizations"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/08\/05\/remote-access-trojaner-woody-rat-nutze-follina-exploits-fr-angriffe-auf-russische-organisationen\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]<a href=\"https:\/\/www.malwarebytes.com\/\" target=\"_blank\" rel=\"noopener\">Malwarebytes<\/a>' threat intelligence team has identified a new, technically advanced remote access Trojan. Dubbed \"Woody Rat,\" the Trojan has been in circulation for about a year and targets Russian organizations. Among others, <a href=\"https:\/\/en.wikipedia.org\/wiki\/United_Aircraft_Corporation\" target=\"_blank\" rel=\"noopener\">Obyedinyonnaya Aviastroitelnaya Korporatsiya<\/a> (OAK), an aerospace and defense company majority-owned by the Russian state, has already been targeted by Woody Rat. The Trojan exploits the so-called Follina exploit (CVE-2022-30190), a zero-day vulnerability that can be used to abuse the Microsoft Support Diagnostics utility to download malicious Microsoft Word or Excel documents from the Web.<\/p>\n<p><!--more--><\/p>\n<p>In a message I received from Malwarebytes, its security researchers wrote that Woody Rat was initially spread via archive file formats (typically ZIP files). After the Follina exploit became known (see, e.g., <a href=\"https:\/\/borncity.com\/win\/2022\/06\/09\/windows-vulnerability-follina-cve-2022-30190-new-findings-new-risks-june-9-2022\/\">Windows Vulnerability Follina (CVE-2022-30190): New findings, new risks (June 9, 2022)<\/a>), attackers switched to this exploit. In doing so, they used an Office document named \u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx (\"Information Security Memo\") to spread the Trojan. The document contains supposedly relevant information and best practices on password security and data protection.z.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Woody Rats trojan\" alt=\"Woody Rats trojan\" src=\"https:\/\/i.imgur.com\/V1iu0J2.png\" width=\"635\" height=\"539\"><br \/>Woody Rat trojan, source: Malwarebytes<\/p>\n<p>According to Malwarebytes, the identity of the hackers responsible for Woody Rat cannot yet be determined with certainty. But similar threats have already been tracked by Malwarebytes. In the past, Chinese APTs (Advanced Persistent Threats) such as the Tonto team or the North Korean cyber group Konni had targeted Russia. However, based on Malwarebytes' analysis, there are no clear indicators that could assign Woody Rat to a specific actor. More about how Woody Rat works and how it spreads can be read in this <a href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/08\/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\/\" target=\"_blank\" rel=\"noopener\">report<\/a> from Malwarebytes. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Malwarebytes' threat intelligence team has identified a new, technically advanced remote access Trojan. Dubbed \"Woody Rat,\" the Trojan has been in circulation for about a year and targets Russian organizations. Among others, Obyedinyonnaya Aviastroitelnaya Korporatsiya (OAK), an aerospace and defense &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/08\/05\/remote-access-trojaner-woody-rat-nutze-follina-exploits-fr-angriffe-auf-russische-organisationen\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-26089","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/26089","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=26089"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/26089\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=26089"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=26089"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=26089"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}