Follow

PoetRAT, a very interesting Azerbaijan trojan that infected OT (industrial) environments: a thread. I want to explain a bit about this, as I've been studying it lately out of curiosity.

:blobcatknife:

First of all, I want to explain that most of OT related threats that pass through are designed to attack that particular victim. They are accidental victims from time to time of general attacks, but those are not as dangerous. PoetRAT here is designed to attack OT systems using a bit of social engineering, environment testing and specific threats such as webcam capturer, monitoring hard drive for information exfiltration, keylogger and others.

Show thread

this threat is embedded in a phishing attack that looked like an Azerbaijan government request. Apparently depending on the version it had a portal, a document... but in the end the victim would download (either through the web or the macro) a zip called "smile.zip". The macro unzips the file and execute a launcher. Let's explore this first.

Show thread

The launcher checks if the environment is a sandbox. This is meant to make the job of the analysts and forensic experts more difficult, it checks the hard drive size. If it's smaller than 62GB (it takes as granted that no computer has less than that) it rewrites the documents as "LICENCE.txt" and delete itself. I did a similar script to the original:

Show thread

as seen, if the launcher checks it's a normal computer it will execute the first script, called frown.py
forwn.py,as described from the original analysis communicates with the command and control server, and uses TLS to encrypt the communication. The RAT sends the word "almond" to which the server would respond a who that triggers the RAT to send the username and UUID. The server replies ice when the connection has to close. There's another script called smile.py which translate the C2 commands.

Show thread

As I had few information about the C2 server I decided the most fun low level way of handling this for the test was a simple socket server in python in my VPS. I decided to use the same word-triggers, and tested it from my computer and my mobile phone terminal, resulting in a really fast user and uuid capturing. Of course for the mobile phone testing I disabled the "HD size" test.

Show thread

The original uses a custom encryption scheme in a file called "Abibliophobia23". I'm still working in one, slightly different from the original, for fun. but it's basically a python script using the base64 library. I want to limit myself to that as well.

Show thread

finally, the RAT deploys some additional tools on targeted systems, mostly watchers and information exfiltration, including a cv2 script for webcam capturing. I tested this one and worked but the attacker has to know that the victims has the module installed...

Show thread

So yeah all of this started by being less cautious than they should when checking the email. This caused a lot of trouble, also this silly environment check at the beginning made it more difficult to capture and isolate.

Neat eh?

Show thread
Sign in to participate in the conversation
Cybrespace

Cybrespace is an instance of Mastodon, a social network based on open web protocols and free, open-source software. It is decentralized like e-mail.