New WogRAT Malware Abuses Online Notepad Service to Store Malware

Image Credit by Pixabay

VTA-004477 – New WogRAT Malware Abuses Online Notepad Service to Store Malware

AhnLab Security intelligence Center (ASEC) has recently discovered a new malware ‘WogRat’ that takes advantage of a free online notepad platform ‘aNotepad’ as a covert channel. WogRat is a Windows/Linux malware that abuses aNotepad by using it as a backdoor for storing and retrieving malicious code that is encrypted and stored in base64-encoded format. WogRat conducts attacks by disguising itself as legitimate applications such as “flashsetup_LL3gjJ7.exe“, “WindowsApp.exe“, “WindowsTool.exe“, “BrowserFixup.exe“, “ChromeFixup.exe“, “HttpDownload.exe“, and “ToolKit.exe“. On Windows, the malware disguises itself as an Adobe tool developed using .NET. When running the malware, the DLL will be loaded to download the malicious code from the aNotepad platform, decrypts them using base64 algorithm, and loads them. WogRat collects basic information of the target when it first runs and sends it to the command & control (C&C) server. The malware then receives commands from the C&C server such as for executing, sending results, downloading files, and uploading. On Linux, it is similar to the Windows version and uses an open-source UNIX backdoor Tiny sHell’s routine which is related to the malware Rekoobe. The main difference between the Windows and Linux versions is how the strings are sent and received between the target and the C&C server.

Severity:
Low

Attack Surfaces:
Endpoint, Storage, Web Application, Web Browser

Tactics:
Command and Control, Defense Evasion, Execution, Initial Access, Resource Development

Technique:
T1059.004 – Unix Shell
T1204.002 – Malicious File
T1109 – Exploit Public-Facing Application
T1583.006 – Web Services
T1583.008 – Malvertising
T1071.002 – File Transfer Protocols
T1608.001 – Upload Malware

Indicator of Compromise:
https://otx.alienvault.com/pulse/65e832cd44c51ad03401dc14

References:
1. https://asec.ahnlab.com/en/62446/

SuperPRO’s Threat Countermeasures Procedures: 
1. Download utility programs and games from official legitimate websites.
2. Be wary when running executable files downloaded from third-party file sharing websites.
3. Ensure that active scanning is enabled on antivirus programs.
4. Avoid clicking on suspicious URLs. Verify URLs before accessing.
5. Enable enhanced safe browsing feature in the browser if applicable.

Contributed by: JieSheng