LTS Secure Warning: New Iteration of PoetRAT Targets Public and Private Sector in Azerbaijan

 

Security researchers have discovered a new iteration of PoetRAT, in which improvement s have been made to obfuscation, operation security and more. This time the malware is being used to target public and private sector in Azerbaijan.

 

Technical Details

In the campaign, the mail contains Microsoft Word documents, which appear to originate from the Azerbaijan government. The word documents contain malicious macros, which are responsible for downloading and dropping the PoetRAT and additional payload.

The malwares’ programming language has now changed from Python to Lua script, improving the efficiency of the code and the size of the malware. It also now comes with new evasion techniques, obfuscation & exfiltration protocol to avoid detection and hide the attackers’ activities.

 

Impact

  • Logs user’s keystrokes
  • Records videos & takes pictures from webcam
  • Perform network scans
  • Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.
  • Perform privilege escalation

 

Recommended Actions

  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.