WogRAT Malware Leverages Notepad Service- Linux & Windows System

Malware leverages the Notepad service to target systems like Windows and Linux, exploiting the ubiquity of Notepad across various operating systems.

Malicious actors can exploit this tool via malware to gain unauthorized access or execute malicious code, leveraging system resources and user privileges.

Clients may be less suspicious about the legitimacy of undetected malware payloads embedded within well-known software like Notepad. Recently, cybersecurity analysts at ASEC uncovered that threat actors are actively utilizing a new strain of malware, WogRAT, which exploits the Notepad service to target both Windows and Linux systems.

WogRAT Malware

A backdoor trojan has been discovered by AhnLab’s team, spreading through an online notepad service called aNotepad. The malicious code is designed to target both Windows (PE format) and Linux (ELF format) systems. This malware, dubbed ‘WogRAT’ by its creators due to the ‘WingOfGod’ string, poses a significant risk as it is a multi-platform threat.

WogRAT malware, named after the “WingOfGod” string used by its creators, is a type of backdoor trojan that poses a serious threat to both Windows and Linux systems. It spreads through online notepad services like aNotepad and is designed to exploit system vulnerabilities, allowing unauthorized access and the execution of malicious code. WogRAT is capable of infecting systems in both PE (Portable Executable) format for Windows and ELF (Executable and Linkable Format) format for Linux, making it a versatile and dangerous malware variant.

In Windows environments, WogRAT disguises itself as utilities such as “flashsetup_LL3gjJ7.exe” or “BrowserFixup.exe” in an attempt to deceive victims. Although specific Linux attacks remain unconfirmed, VirusTotal data indicates that Asian nations like Hong Kong, Singapore, China, and Japan are primary targets of this sophisticated malware campaign.

Examining a Windows WogRAT sample posing as an Adobe tool, we discover a .NET-based Chrome utility disguise concealing an encrypted downloader.

Upon execution, the malware self-compiles and loads a DLL to retrieve and Base64-decode strings from aNotepad, unveiling an obfuscated .NET binary payload stored on the online notepad service.

Commands fetched from the command and control (C&C) server include directives such as type, task ID, and associated data. For example, a ‘upldr’ task would specify ‘C:\malware.exe’ to be read and subsequently FTP-uploaded to the server.

Although the analyzed sample utilizes a test URL without upload capability, it’s probable that other variants of WogRAT exploit this file exfiltration functionality.

AhnLab has discovered a Linux variant of WogRAT sharing the same command and control (C&C) infrastructure as its Windows counterpart, although the initial vector for WogRAT remains unclear.

Similar to Rekoobe, this strain incorporates features from the open-source Tiny SHell malware.

Upon execution, it disguises itself under the name “[kblockd]”, gathers system metadata for exfiltration, and behaves similarly to its Windows counterpart.

Unlike the Windows version, Linux payloads lack download functionality but encrypt C&C communications before transmission.

AhnLab has discovered a Linux variant of WogRAT sharing the same command and control (C&C) infrastructure as its Windows counterpart, although the initial vector for WogRAT remains unclear.

Similar to Rekoobe, this strain incorporates features from the open-source Tiny SHell malware.

Upon execution, it disguises itself under the name “[kblockd]”, gathers system metadata for exfiltration, and behaves similarly to its Windows counterpart.

Unlike the Windows version, Linux payloads lack download functionality but encrypt C&C communications before transmission.

Rather than directly receiving commands, the Linux variant of WogRAT retrieves a reverse shell address from the command and control (C&C) server and establishes a connection to receive instructions.

This indicates that the threat actor utilizes a Tiny SHell server infrastructure, given that WogRAT incorporates routines and C&C mechanisms from this open-source malware, including AES-128 encryption via HMAC SHA1 and unaltered 0x10 byte integrity checks.

AhnLab has identified WogRAT malware targeting both Windows and Linux systems. Threat actors may disguise malicious files as utilities to entice downloads. As a preventive measure, researchers recommend avoiding untrusted executables and obtaining programs from official sources. Additionally, updating antivirus software to the latest version (V3) is advised to mitigate the risk of infection.

IoC
MD5
– 5769d2f0209708b4df05aec89e841f31 : WogRAT Downloader (WindowsTool.exe)
– 655b3449574550e073e93ba694981ef4 : WogRAT Downloader (WindowsApp.exe)
– 929b8f0bdbb2a061e4cf2ce03d0bbc4c : WogRAT Downloader (flashsetup_LL3gjJ7.exe)
– da3588a9bd8f4b81c9ab6a46e9cddedd : WogRAT Downloader (BrowserFixup.exe)
– fff21684df37fa7203ebe3116e5301c1 : WogRAT Downloader (ToolKit.exe)
– e9ac99f98e8fbd69794a9f3c5afdcb52 : WogRAT Downloader (HttpDownload.exe)
– 290789ea9d99813a07294ac848f808c9 : WogRAT – Windows (WingsOfGod.dll)
– 3669959fdb0f83239dba1a2068ba25b3 : WogRAT – Windows (WingsOfGod.dll)
– f97fa0eb03952cd58195a224d48f1124 : WogRAT – Windows (WingsOfGod.dll)
– f271e0ae24a9751f84c5ae02d29f4f0e : WogRAT – Windows (WingsOfGod.dll)
– 1341e507f31fb247c07beeb14f583f4f : WogRAT – Windows (ChromeFixup.exe)
– 7bcfea3889f07f1d8261213a77110091 : Tiny SHell (dddddd_oo)
– 1aebf536268a9ed43b9c2a68281f0455 : WogRAT – Linux (abc)
– a35c6fbe8985d67a69c918edcb89827e : WogRAT – Linux (a14407a2)

C&C URL
– w.linuxwork[.]net:443
– linuxwork[.]net:80
– hxxps://t0rguard[.]net/c/
– hxxps://w.newujs[.]com/c/
– hxxps://newujs[.]com/tt.php?fuckyou=1

Download URL
– hxxp://newujs[.]com/dddddd_oo
– hxxp://newujs[.]com/abc
– hxxp://newujs[.]com/a14407a2
– hxxps://js.domaiso[.]com/jquery.min-2.js
– hxxps://jp.anotepad[.]com/note/read/b896abi9
– hxxp://newujs[.]com/cff/wins.jpg