PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.[1] |
| Enterprise | T1112 | 修改注册表 |
PoetRAT has made registry modifications to alter its behavior upon execution.[1] |
|
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
PoetRAT used TLS to encrypt command and control (C2) communications.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.[2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
PoetRAT has added a registry key in the |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| .005 | 命令与脚本解释器: Visual Basic |
PoetRAT has used Word documents with VBScripts to execute malicious activities.[1][2] |
||
| .006 | 命令与脚本解释器: Python |
PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.[1] |
||
| .011 | 命令与脚本解释器: Lua |
PoetRAT has executed a Lua script through a Lua interpreter for Windows.[2] |
||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .002 | 应用层协议: File Transfer Protocols | |||
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility | |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.[1] |
| Enterprise | T1083 | 文件和目录发现 |
PoetRAT has the ability to list files upon receiving the |
|
| Enterprise | T1048 | 替代协议渗出 |
PoetRAT has used a .NET tool named dog.exe to exiltrate information over an e-mail account.[1] |
|
| .003 | Exfiltration Over Unencrypted Non-C2 Protocol | |||
| Enterprise | T1027 | 混淆文件或信息 |
PoetRAT has used a custom encryption scheme for communication between scripts.[1] |
|
| .010 | Command Obfuscation | |||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
PoetRAT has used spearphishing attachments to infect victims.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.[1] |
| Enterprise | T1082 | 系统信息发现 |
PoetRAT has the ability to gather information about the compromised host.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
PoetRAT sent username, computer name, and the previously generated UUID in reply to a "who" command from C2.[1] |
|
| Enterprise | T1119 | 自动化收集 |
PoetRAT used file system monitoring to track modification and enable automatic exfiltration.[1] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.[1] |
| Enterprise | T1125 | 视频捕获 |
PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.[1][2] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
PoetRAT has used a Python tool named klog.exe for keylogging.[1] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1559 | .002 | 进程间通信: Dynamic Data Exchange |
PoetRAT was delivered with documents using DDE to execute malicious code.[1] |
| Enterprise | T1018 | 远程系统发现 | ||
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment | |
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories | |
| Enterprise | T1571 | 非标准端口 | ||
References
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.