Woody RAT

Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.[1]

ID: S1065
Type: MALWARE
Platforms: Windows
Contributors: Yoshihiro Kori, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India; Adam Lichters
Version: 1.1
Created: 14 February 2023
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Woody RAT can identify administrator accounts on an infected machine.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Woody RAT can communicate with its C2 server using HTTP requests.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Woody RAT can execute PowerShell commands and scripts with the use of .NET DLL, WoodyPowerSession.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Woody RAT can execute commands using cmd.exe.[1]

Enterprise T1005 Data from Local System

Woody RAT can collect information from a compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Woody RAT can deobfuscate Base64-encoded strings and scripts.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Woody RAT can use AES-CBC to encrypt data sent to its C2 server.[1]

.002 Encrypted Channel: Asymmetric Cryptography

Woody RAT can use RSA-4096 to encrypt data sent to its C2 server.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Woody RAT can exfiltrate files from an infected machine to its C2 server.[1]

Enterprise T1203 Exploitation for Client Execution

Woody RAT has relied on CVE-2022-30190 (Follina) for execution during delivery.[1]

Enterprise T1083 File and Directory Discovery

Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions.[1]

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

Woody RAT has suppressed all error reporting by calling SetErrorMode with 0x8007 as a parameter.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Woody RAT has the ability to delete itself from disk by creating a suspended notepad process and writing shellcode to delete a file into the suspended process using NtWriteVirtualMemory.[1]

Enterprise T1105 Ingress Tool Transfer

Woody RAT can download files from its C2 server, including the .NET DLLs, WoodySharpExecutor and WoodyPowerSession.[1]

Enterprise T1106 Native API

Woody RAT can use multiple native APIs, including WriteProcessMemory, CreateProcess, and CreateRemoteThread for process injection.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Woody RAT has used Base64 encoded strings and scripts.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Woody RAT has been delivered via malicious Word documents and archive files.[1]

Enterprise T1057 Process Discovery

Woody RAT can call NtQuerySystemProcessInformation with SystemProcessInformation to enumerate all running processes, including associated information such as PID, parent PID, image name, and owner.[1]

Enterprise T1055 Process Injection

Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread.[1]

.012 Process Hollowing

Woody RAT can create a suspended notepad process and write shellcode to delete a file into the suspended process using NtWriteVirtualMemory.[1]

Enterprise T1012 Query Registry

Woody RAT can search registry keys to identify antivirus programs on an compromised host.[1]

Enterprise T1113 Screen Capture

Woody RAT has the ability to take a screenshot of the infected host desktop using Windows GDI+.[1]

Enterprise T1518 Software Discovery

Woody RAT can collect .NET, PowerShell, and Python information from an infected host.[1]

.001 Security Software Discovery

Woody RAT can detect Avast Software, Doctor Web, Kaspersky, AVG, ESET, and Sophos antivirus programs.[1]

Enterprise T1082 System Information Discovery

Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, environment variables, and storage drives.[1]

Enterprise T1016 System Network Configuration Discovery

Woody RAT can retrieve network interface and proxy information.[1]

.001 Internet Connection Discovery

Woody RAT can make Ping GET HTTP requests to its C2 server at regular intervals for network connectivity checks.[1]

Enterprise T1033 System Owner/User Discovery

Woody RAT can retrieve a list of user accounts and usernames from an infected machine.[1]

Enterprise T1204 .002 User Execution: Malicious File

Woody RAT has relied on users opening a malicious email attachment for execution.[1]

References