PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| .002 | Application Layer Protocol: File Transfer Protocols | |||
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility | |
| Enterprise | T1119 | Automated Collection |
PoetRAT used file system monitoring to track modification and enable automatic exfiltration.[1] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PoetRAT has added a registry key in the |
| Enterprise | T1059 | Command and Scripting Interpreter |
PoetRAT has executed a Lua script through a Lua interpreter for Windows.[2] |
|
| .003 | Windows Command Shell | |||
| .005 | Visual Basic |
PoetRAT has used Word documents with VBScripts to execute malicious activities.[1][2] |
||
| .006 | Python |
PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.[1] |
||
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.[2] |
|
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
PoetRAT used TLS to encrypt command and control (C2) communications.[1] |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol |
PoetRAT has used a .NET tool named dog.exe to exiltrate information over an e-mail account.[1] |
|
| .003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | |||
| Enterprise | T1041 | Exfiltration Over C2 Channel | ||
| Enterprise | T1083 | File and Directory Discovery |
PoetRAT has the ability to list files upon receiving the |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories | |
| Enterprise | T1070 | Indicator Removal on Host |
PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.[1][2] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
PoetRAT has used a Python tool named klog.exe for keylogging.[1] |
| Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
PoetRAT was delivered with documents using DDE to execute malicious code.[1] |
| Enterprise | T1112 | Modify Registry |
PoetRAT has made registry modifications to alter its behavior upon execution.[1] |
|
| Enterprise | T1571 | Non-Standard Port | ||
| Enterprise | T1027 | Obfuscated Files or Information |
PoetRAT has used a custom encryption scheme for communication between scripts and pyminifier to obfuscate scripts.[1][2] |
|
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.[1] |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment | |
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1018 | Remote System Discovery | ||
| Enterprise | T1113 | Screen Capture | ||
| Enterprise | T1082 | System Information Discovery |
PoetRAT has the ability to gather information about the compromised host.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
PoetRAT sent username, computer name, and the previously generated UUID in reply to a "who" command from C2.[1] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
PoetRAT has used spearphishing attachments to infect victims.[1] |
| Enterprise | T1125 | Video Capture |
PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts.[1] |
|
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.[1] |
References
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.