Rewterz Threat Alert – New WogRAT Stores Malware by Exploiting Online Notepad Platform – Active IOCs

Severity

High

Analysis Summary

A new malware “WogRAT” has emerged that is targeting both Linux and Windows in its attacks by using an online notepad service called “aNotepad” as a covert channel to store and retrieve its malicious code.

The malware is named after a string “WingOfGod”, and has been active since at least 2022. It mainly targets Singapore, Japan, Hong Kong, China, and other Asian countries. The way it is distributed is currently unknown, but notably, the names of the sampled executables resemble software that is popular among users so it is very likely that it is spread through malvertising or other similar methods.

The researchers said, “Malware strains disguised their names as legitimate utility tools such as “flashsetup_LL3gjJ7.exe“, “WindowsApp.exe“, “WindowsTool.exe“, “BrowserFixup.exe“, “ChromeFixup.exe“, “HttpDownload.exe“, and “ToolKit.exe“.”

The malware abuses aNotepad, a notepad platform available for free online, to host a base64-encoded .NET binary of the Windows version of the malware that is disguised as an Adobe tool. Since aNotepad is a legitimate online service, it is not treated suspiciously or blacklisted by the security software, hence helping the infection chain become stealthy. Once the malware is executed on the compromised system, it is unlikely that it will be flagged as malicious by antivirus tools since it doesn’t have any malicious functionality. That being said, the malware does contain an encrypted source code for a malware downloader that is compiled and executed at run-time.

The downloader is responsible for fetching another malicious .NET binary that is stored on aNotepad in base64-encoded format. Decoding it results in loading a DLL that is the WogRAT backdoor. WogRAT then sends information about the infected system to the command-and-control (C2) server and receives commands to execute them. Five supported functions have been observed:

• Run commands
• Download files from a specific URL
• Upload specific files to the C2 server
• Wait for a specific time
• Terminate the malware

On the other hand, the Linux version of the malware is in ELF form and is very similar to the Windows version, but it distinguishes itself by leveraging Tiny Shell to carry out operations and additional encryption in its communication with the C2 server. Tiny Shell is an open-source backdoor capable of facilitating command execution and data exchange on Linux devices for various threat actors, like OldGremlin, UNC4540, LightBasin, and the operators of the Linux rootkit ‘Syslogk’ that are still unidentified.

Another difference is that the commands on the Linux version are not sent using POST requests. Instead, they are sent via a reverse shell that is created on a specific IP and port. Security analysts have yet to determine how these ELF binaries are propagated to the victims since the Linux variant doesn’t exploit aNotepad to host and retrieve the malicious code.

Impact

• Unauthorized Access
• File Exfiltration
• Exposure to Sensitive Data

Indicators of Compromise

Domain Name

• w.linuxwork.net
• linuxwork.net

MD5

• 5769d2f0209708b4df05aec89e841f31
• 655b3449574550e073e93ba694981ef4
• 929b8f0bdbb2a061e4cf2ce03d0bbc4c
• da3588a9bd8f4b81c9ab6a46e9cddedd
• fff21684df37fa7203ebe3116e5301c1
• e9ac99f98e8fbd69794a9f3c5afdcb52
• 290789ea9d99813a07294ac848f808c9
• 3669959fdb0f83239dba1a2068ba25b3
• 1341e507f31fb247c07beeb14f583f4f
• 7bcfea3889f07f1d8261213a77110091
• 1aebf536268a9ed43b9c2a68281f0455
• a35c6fbe8985d67a69c918edcb89827e

SHA-256

• 2032e976f4b44723895de17d7ed797d1464e93ac8afeb6ec069871518d01ca02
• 98db00ede0e4678737fb911797fd7546adc2ca4b9191094fb6ea1f6fbab6f6fb
• dadd2343e83e9ca3c663a2528b51b7eb0bb49c4993a0f2eceebca8d9b90c52b5
• ddeb40709841f3084a2b601db51285548cfe276f91bffca43dedfc0e5c791bde
• 9d67758c488ba611a7cfc13cb7f24e975d7075f43d0abdfaab89048db8a8c874
• 0745f0421c06ac435c89a7a9f1831b9423e3af4be52eeb1153985a6daeaf66c2
• 685636f918689b63f3a6ede86c29dc70d12a16c48f9396cd7446d4022063bf00
• 883010b1a483fd3a3c698a573762db4030f1ea98b1fbfa7b208bab74310ace39
• d3d4cfe7bc2213f7e971e8757f8fa977a6dea34b1d88cf3184879e6dbb048b78
• 31c4eb47fd004359e61055cd0cc6ffcf1ff901f9796d9e5b59e8472d3c9e58af
• 779b0ac1f1460cb87adf24edbd9bffa0ccbad6a4b1e5e83d5ca0fe4a3ac0fa79
• f04b9920d66794924ce66d8736cb6eeb73a88889fc7e8173ecfc21ec13bba8fe

SHA-1

• 4843dc18a14b8953d1c56d42780eac89f0252f6
• 5e3ec55c3b8c39a2b1cd0d39e0188a35322be814
• 4682541e06890d7271d1c26d1d4579094e50b067
• 664ec660a8c553dec11325c04fa012d569a2335e
• e0ed04cf515db82c826c3651db59e13c375b068c
• 2de711c5adc3b445649109dd5db1c765092e56af
• 0dafc7f7a92951ad5b7f650b01b8d5ef03f18ae7
• fc52025afc9a69d056e47250198b99100ef0de8d
• 2cf68fe9d6f1e23a219ebd277e49f4b2717a9afd
• 19e44f73c5eed8a2f9371a138cccd72fa9a138a2
• ca8c20861b4f3ef2ed8ef1bbc4f26f2e17f6feef
• e4df23eb1af6cbebcd669e620e47c2fbd6f8bbcf

URL

• https://t0rguard.net/c/
• https://w.newujs.com/c/
• https://newujs.com/tt.php?fuckyou=1
• http://newujs.com/dddddd_oo
• http://newujs.com/abc
• http://newujs.com/a14407a2
• https://js.domaiso.com/jquery.min-2.js
• http://newujs.com/cff/wins.jpg

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Use automated security scanning tools to analyze dependencies for known vulnerabilities or suspicious code.
• Provide training to developers and team members on secure coding practices, the risks of third-party dependencies, and the importance of code reviews.
• Implement access control measures on your code repositories to restrict who can contribute or make changes to the codebase.
• Maintain regular backups of your critical data to ensure data recovery in case of a security incident.
• Use antivirus and intrusion detection systems to help identify and block malicious activity.
• Implement network segmentation to limit the spread of malware or malicious activities within your network.
• Enforce strong password management practices for your systems and accounts.
• Implement MFA wherever possible to add an extra layer of security.
• Only download apps from official sources like Google Play and App Store.