LTS Secure Warning: New Campaign Targeting Energy Sector To Delivery PoetRAT via Weaponized Work Documents

A new Remote Access Trojan dubbed “PoetRAT” has been identified by security researchers in a set of campaigns targeting the energy sector. Analysis of the campaign reveals a very cautiously planned, highly targeted campaign against private Azerbaijan sectors, SCADA systems & the public.

 

Technical Details

Once the macros have been enabled, a VBScript dropper gets executed on the machine. The script then goes ahead to load its own document into memory, which is a ZIP file (smile.zip), containing:-

  • Python Interpreter
  • Python Script (RAT)

At the same time, the word macros will unzip & execute a script “launcher.py”, to check the environment in which it is being opened. If it identifies that it is opened in a sandbox environment, it will delete the malicious script.

The RAT is made up of two main scripts:-

  • frown.py – Responsible for C&C communication
  • smile.py – Responsible for executing the C&C commands

 

Impact

  • Logs user’s keystrokes
  • Records videos & takes pictures from webcam
  • Perform network scans.
  • Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.
  • Data exfiltration.

 

Recommended Actions

  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.