Woody RAT

Woody Rat is a malware that has been in the wild for at least a year, as identified by the Malwarebytes Threat Intelligence team. It is weaponized through a Microsoft Office document named Памятка.docx, exploiting the Follina (CVE-2022-30190) vulnerability to infiltrate systems. This malicious software can infect systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. The distribution methods for Woody Rat have been primarily through archive files and Office documents using the Follina vulnerability. When this vulnerability became globally known, threat actors switched to it for payload distribution. The used lure is in Russian, named "Information security memo," which provides security practices for passwords and confidential information. Malwarebytes successfully blocked the Follina exploit being leveraged in the latest Woody Rat campaign. The threat actor appears to have targeted a Russian aerospace and defense entity known as OAK, based on a fake domain registered by them. A significant amount of CRT functions seem to be statically linked, generating noise and complicating analysis. However, some debugging information left by the threat actor allowed researchers to derive a name for this new Remote Access Trojan. Indicators of Compromise (IOCs) for Woody Rat and various associated entities have been documented, providing valuable resources for threat detection and prevention.