In August 2022, «MalwareBytes» specialists reported a malicious campaign against the Russian company PJSC «United Aviation Corporation», allegedly carried out by one of the Chinese APT-groups using a previously unknown RAT trojan «WoodyRAT». However, the results of our research clearly indicate that the published information is only the tip of the iceberg, which probably remained unnoticed by IT icebreakers for several years…
Indeed, 2 of the «WoodyRAT» samples that have been quarantined in our sandbox are trying to establish a connection with a remote control center using the oakrussia[.]ru domain, semantically similar to the official website of PJSC «United Aviation Corporation». Probably, it was these samples, last uploaded to «VirusTotal» in July 2022, that served as the basis for the publication of revelations 2 weeks later. However, upon a more detailed study of this case, we were alerted that, according to Passive DNS Replication, the oakrussia[.]ru domain was first resolved in the winter of 2020, and the samples using it were compiled in late April and early May 2020 and were uploaded to the «VirusTotal» sandbox for the first time during the same period. Agree, it is far ahead of recent publications about «new» trojan.
At the time of the discovery of «WoodyRAT» on August 05, 2022, our radars recorded the date of the last upload of samples to «VirusTotal» as July 18, 2022. While conducting research and preparing a report, someone updated the value of the «Last Analysis» field by sending several samples to the sandbox. We decided not to use photoshop, preferring objectivity and honesty |
Moreover, the sandboxing of 15 «WoodyRAT» samples that landed in our quarantine and a retrospective recursive analysis of the DNS records of the controlling malicious infrastructure brought us to a group of 31 servers and 20 domains. The dates of compilation of samples, registration and delegation of domains, purchase of SSL certificates allow us to safely assert their active use in 2020 - 2022 for targeted attacks using «WoodyRAT».
There are no matches of «WoodyRAT» samples from different compilation years by ImpHash and SSDeep, APT-group upgrades the trojan annually. What can not be said about the infrastructure: in 2021, 3 domains from the 2020 attacks were used, in 2022 - 1 server from the 2020 attacks and 2 domains from the 2021 attacks (already publicly known oakrussia[.]ru and fns77[.]ru) |
The semantic similarity of the detected malicious domains with the originals made it possible to clearly identify the trojan's targets, including at least 5 institutionsof the Russian military-industrial complex of the same sphere of military aviation, previously not mentioned in public reports.
All this suggests that the «novelty» of the «WoodyRAT» samples is somewhat exaggerated. It is obvious that the trojan is in the arsenal of a certain APT-group, no doubt pro-government, which has been present in Russian cyberspace for at least 3 years and is hunting for secrets of military aviation.
The version of professional cyber espionage is also confirmed by clear signs of careful study by a group of IT-contractors of the Russian defense industry, whose names are used in a number of builds, and subnets are used to rent control servers with domains parked to them, posing as «Microsoft» telemetry collection and analysis services. All this significantly increases the employees' trust in samples and traffic. It should also be noted that the APT-group keeps abreast of events in the Russian social sphere, using the COVID theme and the corresponding anti-COVID orders of the Russian Government and the Federal Tax Service in the name of samples. Well, the use of brands of Russian developers anti-virus protection tools in the name of samples looks especially bold.
However, such a duet of infrastructural ingenuity and the banality of the method of delivering compiled samples in pure form in attachments to emails is more typical for the activity of cyber intelligence agents in 2021. In 2022, the group significantly worked on the technique of targeted attacks, implementing multi-stage delivery of «WoodyRAT» samples to the target system using several high-quality loaders, while maintaining the main vector of penetration - e-mail.
At the initial stage of the 2022 attacks, attackers use a widely available and popular, but at the same time cheap and angry tool that simultaneously increases the likelihood of infection of the target system and the latency of cyber operations - an exploit for the sensational vulnerability in «Microsoft Office» products CVE-2022-30190, better known as «Follina». For its delivery, a devilishly mocking document «Microsoft Word» is used with a memo for employees about information security measures at the workplace, one of the points of which directly indicates the inadmissibility of opening incoming correspondence without thorough inspection.
The exploit encapsulated in the document downloads from the control center and launches an HTM-loader in the target system with a Base64-encoded URL for storing the sample «WoodyRAT», semantically similar to the domain of one of the IT-contractors of Russian state institutions. At the last stage, after downloading, the trojan is launched in the attacked system, having previously secured itself in it by overwriting one of the components of the «Windows Automatic Updates» automatic update system. In the attacks of 2022, in order to disguise the control infrastructure, along with domains posing as «Microsoft» telemetry collection and analysis services, the group resorts to using «Dynamic DNS» technology to hide the IP addresses of servers behind level 3 domains in the zone «.duckdns.org».
According to cyber intelligence data, it is clearly visible how in 3 years the APT-group has spread its digital wings, annually increasing the scale and frequency of changing malicious infrastructure, replenishing its arsenal with new modified «WoodyRAT» samples and reducing the pauses between the deployment of an IT-bridgehead and a direct attack on target systems.
As activity metrics were used the facts of the appearance of new servers and domains as part of the malicious information infrastructure, changes in DNS records and SSL certificates, compilation of new samples |
5 days
between the preparation of the control infrastructure and the compilation of samples associated with it |
|
33 days
between compilations of groups of new samples |
|
45 days
frequency of change of DNS records and SSL certificates of the control infrastructure |
But even state-funded professionals are misfiring, using last year's infrastructure and leaving a well-traced unique footprint in cyberspace. Very favorable «weather conditions» for threat hunters to set their cyber swarm on a ferocious APT-predator and eventually drive it into a trap. The main thing is to carefully look at the footprints and not take for a new individual someone who has long established his lair in the forest.