This article will detail what PoetRAT is, how it works and how to prevent it. Given the recent severity of the COVID-19 pandemic, this malware should serve as an example that not all emails referencing this virus should be trusted.
What is PoetRAT?
Recently discovered by Cisco Talos, PoetRAT is an emerging malware that targets the energy and government sector of Azerbaijan — especially wind turbine facilities. As the name suggests, PoetRAT is a remote access Trojan; it’s named PoetRAT because of recurring references to the playwright William Shakespeare’s works. This malware is not currently known to be associated with any specific attack group, which shows that more still needs to be learned about this malware. There is no one specific way that PoetRAT spreads. However, research has shown that the malware is distributed via URL, which indicates that users are most likely tricked by either emails or social media messages to download the malware. PoetRAT has been observed downloading other tools for persistence and other purposes, but more on this later.
How PoetRAT works
As mentioned earlier, PoetRAT spreads via emails or social media messages containing malicious URLs. This is not to say that other methods are not being used as well. Talos researchers have observed three phishing emails claiming to be from the Azerbaijan government and the Ministry of Defense of India, which contained a malicious Microsoft Word document named “C19.docx.” Attempts like these play on the particularly sensitive issue of COVID-19 and take advantage of the psychological condition that many are in because of this pandemic. Cybercriminals have used phishing tactics that take advantage of current conditions, such as the holiday season, and it was just a matter of time until they incorporated COVID-19 sensitivity into their psy-op tool box. Once the malicious Word document is opened or URL is clicked, a dropper enables malicious macros which deploy PoetRAT. To help evade detection and other defensive measures, it writes itself to disk in the form of an archive instead of being loaded as an executable. PoetRAT is written in Python and has two main scripts that are the crux of the malware itself. The first script is “smile.py”, which executes commands including copying, moving and archiving files and content, taking screenshots, information exfiltration, killing processes and uploading of files from the target computer. The second script is “frown.py”, which allows for encrypted communication with the PoetRAT C2 (command-and-control) server. Researchers have observed an array of different tools typically placed during a PoetRAT campaign:
Klog.exe: Keylogger capabilities Dog: This .NET malware module can be used to monitor hard drive paths on an infected computers and has data exfiltration capabilities through FTP or email Browdec.exe: Browser credential stealer Bewmac: Webcam session recording capabilities WinPwnage: Used for privilege escalation voStro.exe: Credential stealer Nmap: Used for network scanning Tre.py: A script written in Python used to create new files and directors Mimikatz: Credential harvesting Pypykatz: Credential harvesting
This is not an exhaustive list of what this malware is capable of by any means. One of the other things PoetRAT is capable of is maintaining persistence via registry key manipulation, as it can modify registry entries in order to get around sandbox evasion checks. It appears that there may be a sort of anti-Azerbaijani government motivation behind the PoetRAT cyberattacks thus far. Researchers have determined that the attack groups behind PoetRAT may have been intending to capture credentials of those working in the Azerbaijani government.
IoCs
URLs
hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=
C2
dellgenius[.]hopto[.]org
Phishing
gov-az[.]herokuapp[.]com govaz[.]herokuapp[.]com
Samples
208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407 252c5d491747a42175c7c57ccc5965e3a7b83eb5f964776ef108539b0a29b2ee 312f54943ebfd68e927e9aa95a98ca6f2d3572bf99da6b448c5144864824c04d 31c327a3be44e427ae062c600a3f64dd9125f67d997715b63df8d6effd609eb3 37118c097b7dbc64fa6ac5c7b28ebac542a72e926d83564732f04aaa7a93c5e3 4eb83253e8e50cd38e586af4c7f7db3c4aaddf78fb7b4c563a32b1ad4b5c677c 5f1c268826ec0dd0aca8c89ab63a8a1de0b4e810ded96cdee4b28108f3476ce7 66679d83d3993ae79229b1ccff5350e083d6631190eeeb3207fa10c3e572ca75 746fbdee1867b5531f2367035780bd615796ebbe4c9043134918d8f9240f98b9 970793967ecbe58d8a6b54f5ec5fd2551ce922cb6b3584f501063e5f45bdd58a a3405cc1fcc6b6b96a1d6604f587aee6aafe54f8beba5dcbaa7322ac8589ffde a703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d ac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc b14a8bf8575e46b5356acf3d19667278002935b21b7fc9f62e0957cc1e25209d b1e7dc16e24ebeb60bc6753c54e940c3e7664e9fcb130bd663129ecdb5818fcd ca8492139c556eac6710fe73ba31b53302505a8cc57338e4d2146bdfa8f69bdb d4b7e4870795e6f593c9b3143e2ba083cf12ac0c79d2dd64b869278b0247c247 d5d7fad5b745fa04f7f42f61a1db376f9587426c88ce276f06de8ea6889dfae8 d605a01e42d5bb6bca781b7ba32618e2f2870a4624b50d6e3d895e8e96adee6a F842354198cfc0a3296f8d3c6b38389761674f1636129836954f50c2a7aab740 e4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2
Prevention
PoetRAT has only been involved with cyberattacks in Azerbaijan thus far. That said, there is nothing stopping this malware from being introduced into any area in the world. This should be of particular importance to those in the energy sector, particularly wind turbine energy production facilities. For those looking to stay on top of this threat, follow the recommendations below.
Update your security tools and security policies to account for the IoCs above. This means your organization will be able to better correlate events in your environment with what we know so far to be PoetRAT Use a solid email security filtering tool to reduce or eliminate emails containing malicious Microsoft Word files End users are the last line of defense against threats such as PoetRAT. If you do not trust the sender, do not download unsolicited attachments or click on unknown URLs ICS and SCADA facilities should continuously harden their systems to help prevent PoetRAT
Conclusion
PoetRAT is a recently discovered Trojan that targets energy sector electric facilities in Azerbaijan. This malware is known for luring victims with phishing emails mimicking emails from the government of Azerbaijan and the Indian Ministry of Defense, particularly with emails mentioning COVID-19. As of yet, only users in Azerbaijan have been targeted by attack groups using PoetRAT. However, the wide array of capabilities that it offers may pave the way for cyberattacks in other parts of the world as well.
Sources
PoetRAT: Python RAT uses COVID-19 to target Azerbaijan public and private sectors, Cisco TALOS Blog PoetRAT – New Python RAT Attacking Government and Energy Sector via Weaponized Word Documents, GBHackers on Security New PoetRAT Hits Energy Sector with Data-Stealing Tools, Threatpost