The Threat Intelligence team of Malwarebytes discovered a new Remote Access Trojan called ‘Woody Rat’ that targets Russian entities by using lures in archive file format and Office documents leveraging the Follina vulnerability.
Malwarbytes researchers stated that the threat actors aim to target a Russian aerospace and defense entity called ‘OAK’.
Remote Access Trojan – Woody Rat
According to the researchers, Woody Rat has been distributed using two different formats namely, archive files and Office documents using the Follina vulnerability.
The Follina vulnerability allows an attacker to execute arbitrary code using a malicious Word document. This vulnerability leverages the built-in MS URL handlers to trigger msdt.exe, this process can then be used to execute PowerShell commands.
In this case, the threat actor is using a Microsoft Office document that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat.
Woody Rat distribution methods
The initial versions of this Rat were archived into a zip file pretending to be a document specific to a Russian group. But after the arrival of Follina vulnerability, threat actors switched to it to distribute the payload.
In the Archive files method, Woody Rat is packaged into an archive file and sent to victims. It is believed that these archive files have been distributed using spear phishing emails. For instance: anketa_brozhik.doc.zip: Contains Woody Rat with the same name: Anketa_Brozhik.do ..
Support the originator by clicking the read the rest link below.
