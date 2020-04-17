Government and energy sectors are targeting a new campaign to ward off coronavirus outbreaks.

Cisco Talos researchers Warren Mercer, Paul Rascagneres and Vitor Ventura released an analysis on Thursday of a new campaign that rolls out PoetRAT, a previously discovered RAT, which attacks both government and public. ‘Azerbaijan as the service companies.

According to the team, malware attacks SCADA, which is commonly used to manage power grids and manufacturing systems.

In this case, the ICS and SCADA systems related to wine turbines within the renewable energy sector seem to be of interest to the campaign’s threatening actors, whose identity is currently unknown.

Talos says targeted victims receive phishing emails with malicious Microsoft Word documents attached. Three separate phishing attempts were identified, including a document labeled “C19.docx”, a reference to the COVID-19 pandemic; as well as the content which it claims to be from departments of the Government of Azerbaijan and the Ministry of Defense of India.

“We believe that the adversaries, in this case, want to target citizens of the country of Azerbaijan, including private companies in the SCADA sector such as wind turbine systems,” say researchers.

If opened, an eyedropper runs by enabling malicious macros to deploy PoetRAT, so named due to playwright William Shakespeare’s code references.

Instead of loading directly as executable, malicious software is written to the disk as a file called “smile.zip”. The .zip file contains a Python interpreter and a shell, and the Word macro will check for a sandbox environment, assuming that the hard disks in the sandbox are less than 62 GB before removal. If a sandbox environment is detected, the malware is overwritten and deleted.

Written in Python, the Trojan consists of two main scripts. The first, “frown.py”, is used to communicate with the malware Command and Control Server (C2). TLS encryption is used to send information from an infected machine to Trojan operators.

The second script, “smile.py”, executes a variety of commands, such as listing directories, extruding PC information, taking screenshots, copying, moving and archiving content, uploading stolen files and killing, deleting or finishing processes. It is also possible that PoetRAT can take control of your webcam and steal your passwords.

An interesting tool noticed by researchers is dog.exe, a .NET malware module that monitors hard drive paths and automatically filters data through an FTP email or account.

To maintain persistence, malicious software creates registry keys and can make modifications to the registry itself to prevent sandbox avoidance checks.

“This could be used for already infected guests to make sure they do not check in on this environment,” says Talos.

In addition to the main wave of Trojan attack, the team also found a phishing website hosted on the same infrastructure that mimics the Azerbaijani government’s webmail system.

“The actor controlled specific directories, indicating that they wanted to filter some information about the victims,” ​​says Talos. “According to our research, adversaries may have sought important credentials from Azerbaijani government officials. The attacker wanted not only specific information obtained from victims, but also a complete cache of information related to his victim.” .

