On Wednesday, Hackers attacks Russian organizations with the newly discovered malware, allowing them to take control and steal information from compromised devices remotely.
According to Malwarebytes, one of the Russian organizations which were targeted using this Rat malware is a government-controlled defense corporation.
Woody RAT Malware
This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.
This malware is currently delivered onto targets’ computers via phishing emails through two distribution methods:
ZIP archive files containing the malicious payload or microsoft office documents.
Woody Rat can also execute .NET code and PowerShell commands and scripts received from its C2 server using two DLLs named WoodySharpExecutor and WoodyPowerSession.
Once launched on a compromised device, the malware uses process hollowing to inject itself into a suspended Notepad process, deletes itself from the disk to evade detection from security products, and resumes the thread.
Malwarebytes is yet to attribute the malware and the attacks to a known threat group but said that a very short list of possible suspects includes Chinese and North Korean APTs.