Introduction

As new malware constantly emerges, some have been taking advantage of recent events to make it easier to establish a foothold on a targeted system and wage a cyberattack. Once such malware is called PoetRAT, and while it has only targeted one country to date, its targets and methods should be taken seriously by all who are security-minded. 

This article will detail what PoetRAT is, how it works and how to prevent it. Given the recent severity of the COVID-19 pandemic, this malware should serve as an example that not all emails referencing this virus should be trusted.

What is PoetRAT?

Recently discovered by Cisco Talos, PoetRAT is an emerging malware that targets the energy and government sector of Azerbaijan — especially wind turbine facilities. As the name suggests, PoetRAT is a remote access Trojan; it’s named PoetRAT because of recurring references to the playwright William Shakespeare’s works. This malware is not currently known to be associated with any specific attack group, which shows that more still needs to be learned about this malware.

There is no one specific way that PoetRAT spreads. However, research has shown that the malware is distributed via URL, which indicates that users are most likely tricked by either emails or social media messages to download the malware. PoetRAT has been observed downloading other tools for persistence and other purposes, but more on this later.

How PoetRAT works

As mentioned earlier, PoetRAT spreads via emails or social media messages containing malicious URLs. This is not to say that other methods are not being used as well. 

Talos researchers have observed three phishing emails claiming to be from the Azerbaijan government and the Ministry of Defense of India, which contained a malicious Microsoft Word document named “C19.docx.” Attempts like these play on the particularly sensitive issue of COVID-19 and take advantage of the psychological condition that many are in because of this pandemic. Cybercriminals have used phishing tactics that take advantage of current conditions, such as the holiday season, and it was just a matter of time until they incorporated COVID-19 sensitivity into their psy-op tool box.

Once the malicious Word document is opened or URL is clicked, a dropper enables malicious macros which deploy PoetRAT. To help evade detection and other defensive measures, it writes itself to disk in the form of an archive instead of being loaded as an executable.

PoetRAT is written in Python and has two main scripts that are the crux of the malware itself. The first script is “smile.py”, which executes commands including copying, moving and archiving files and content, taking screenshots, information exfiltration, killing processes and uploading of files from the target computer. The second script is “frown.py”, which allows for encrypted communication with the PoetRAT C2 (command-and-control) server.

Researchers have observed an array of different tools typically placed during a PoetRAT campaign:

  • Klog.exe: Keylogger capabilities
  • Dog: This .NET malware module can be used to monitor hard drive paths on an infected computers and has data exfiltration capabilities through FTP or email
  • Browdec.exe: Browser credential stealer
  • Bewmac: Webcam session recording capabilities
  • WinPwnage: Used for privilege escalation
  • voStro.exe: Credential stealer
  • Nmap: Used for network scanning
  • Tre.py: A script written in Python used to create new files and directors
  • Mimikatz: Credential harvesting
  • Pypykatz: Credential harvesting

This is not an exhaustive list of what this malware is capable of by any means. One of the other things PoetRAT is capable of is maintaining persistence via registry key manipulation, as it can modify registry entries in order to get around sandbox evasion checks. 

It appears that there may be a sort of anti-Azerbaijani government motivation behind the PoetRAT cyberattacks thus far. Researchers have determined that the attack groups behind PoetRAT may have been intending to capture credentials of those working in the Azerbaijani government. 

IoCs

URLs

  • hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=

C2

  • dellgenius[.]hopto[.]org

Phishing

  • gov-az[.]herokuapp[.]com
  • govaz[.]herokuapp[.]com

Samples

  • 208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407
  • 252c5d491747a42175c7c57ccc5965e3a7b83eb5f964776ef108539b0a29b2ee
  • 312f54943ebfd68e927e9aa95a98ca6f2d3572bf99da6b448c5144864824c04d
  • 31c327a3be44e427ae062c600a3f64dd9125f67d997715b63df8d6effd609eb3
  • 37118c097b7dbc64fa6ac5c7b28ebac542a72e926d83564732f04aaa7a93c5e3
  • 4eb83253e8e50cd38e586af4c7f7db3c4aaddf78fb7b4c563a32b1ad4b5c677c
  • 5f1c268826ec0dd0aca8c89ab63a8a1de0b4e810ded96cdee4b28108f3476ce7
  • 66679d83d3993ae79229b1ccff5350e083d6631190eeeb3207fa10c3e572ca75
  • 746fbdee1867b5531f2367035780bd615796ebbe4c9043134918d8f9240f98b9
  • 970793967ecbe58d8a6b54f5ec5fd2551ce922cb6b3584f501063e5f45bdd58a
  • a3405cc1fcc6b6b96a1d6604f587aee6aafe54f8beba5dcbaa7322ac8589ffde
  • a703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d
  • ac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc
  • b14a8bf8575e46b5356acf3d19667278002935b21b7fc9f62e0957cc1e25209d
  • b1e7dc16e24ebeb60bc6753c54e940c3e7664e9fcb130bd663129ecdb5818fcd
  • ca8492139c556eac6710fe73ba31b53302505a8cc57338e4d2146bdfa8f69bdb
  • d4b7e4870795e6f593c9b3143e2ba083cf12ac0c79d2dd64b869278b0247c247
  • d5d7fad5b745fa04f7f42f61a1db376f9587426c88ce276f06de8ea6889dfae8
  • d605a01e42d5bb6bca781b7ba32618e2f2870a4624b50d6e3d895e8e96adee6a
  • F842354198cfc0a3296f8d3c6b38389761674f1636129836954f50c2a7aab740
  • e4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2

Prevention

PoetRAT has only been involved with cyberattacks in Azerbaijan thus far. That said, there is nothing stopping this malware from being introduced into any area in the world. This should be of particular importance to those in the energy sector, particularly wind turbine energy production facilities.

For those looking to stay on top of this threat, follow the recommendations below.

  • Update your security tools and security policies to account for the IoCs above. This means your organization will be able to better correlate events in your environment with what we know so far to be PoetRAT
  • Use a solid email security filtering tool to reduce or eliminate emails containing malicious Microsoft Word files
  • End users are the last line of defense against threats such as PoetRAT. If you do not trust the sender, do not download unsolicited attachments or click on unknown URLs
  • ICS and SCADA facilities should continuously harden their systems to help prevent PoetRAT

Conclusion

PoetRAT is a recently discovered Trojan that targets energy sector electric facilities in Azerbaijan. This malware is known for luring victims with phishing emails mimicking emails from the government of Azerbaijan and the Indian Ministry of Defense, particularly with emails mentioning COVID-19.

As of yet, only users in Azerbaijan have been targeted by attack groups using PoetRAT. However, the wide array of capabilities that it offers may pave the way for cyberattacks in other parts of the world as well.

 

Sources

  1. PoetRAT: Python RAT uses COVID-19 to target Azerbaijan public and private sectors, Cisco TALOS Blog
  2. PoetRAT – New Python RAT Attacking Government and Energy Sector via Weaponized Word Documents, GBHackers on Security
  3. New PoetRAT Hits Energy Sector with Data-Stealing Tools, Threatpost