A new and sophisticated malware named WogRAT is making headlines for its unique method of attack. It has been designed to compromise both Windows and Linux systems, leveraging an unconventional tactic that involves the misuse of a widely-used online notepad service, known as ‘aNotepad’, to discreetly store and distribute its malicious code.
Origin and Impact
Security experts at AhnLab Security Intelligence Center (ASEC) have been closely monitoring WogRAT, which derives its name from a peculiar string ‘WingOfGod’, found within its code.
The malware’s activities can be traced back to late 2022, with a primary focus on infiltrating networks within Japan, Singapore, China, Hong Kong, and other regions in Asia.
Although the exact distribution channels of WogRAT remain a mystery, the deceptive naming of its executable files (e.g., flashsetup_LL3gjJ7.exe, WindowsApp.exe) suggests a likelihood of propagation through malicious advertising or similar deceitful practices.
Exploiting Online Notepad
A notable aspect of WogRAT’s operation is its abuse of the aNotepad service. By embedding a base64-encoded .NET binary within the platform, disguised as an innocuous Adobe tool, attackers are able to bypass traditional security measures.
This clever manipulation of a legitimate service ensures that the initial stage of the malware’s execution goes undetected by antivirus software, as it exhibits no immediate signs of malicious activity.
Upon activation, WogRAT initiates a covert process to compile and execute an encrypted source code designed to download further malicious components. This results in the introduction of a .NET binary from aNotepad, which ultimately loads the WogRAT backdoor DLL.
Strings stored on aNotepad and the decryption process used to access them (Source: ASEC)
The malware then establishes communication with its command and control (C2) server, enabling the attackers to execute a range of commands, from running specific commands to file upload/download, and more.
Linux Variant Insights
The Linux variant of WogRAT distinguishes itself by utilizing the ELF format and integrating with Tiny Shell for command execution, adding an extra layer of encryption for communication with its command and control server.
Unlike the Windows version of WogRAT, it does not use aNotepad for hosting malicious code and employs a reverse shell for commands, indicating unique operational tactics for Linux systems.
Final Word
As cybercriminals continue to refine their techniques and leverage legitimate online services for nefarious purposes, the cybersecurity community must remain proactive in identifying and mitigating such innovative threats.
Anas Hasan
March 6, 2024
2 months ago
