WogRAT abuses note-taking services aNotepad

The newly discovered WogRAT malware compromises Windows and Linux systems by utilizing the aNotepad online service for storing and transmitting malicious code.

Researchers from the AhnLab Security Intelligence Center (ASEC), who identified this malware, report that it has been operational since at least late 2022, primarily targeting countries in Asia such as Japan, Singapore, China, and Hong Kong.

The initial distribution method of WogRAT remains unclear, but the researchers observed that the names of its executable files mimic those of well-known software (e.g., flashsetup_LL3gjJ7.exe, WindowsApp.exe, WindowsTool.exe, BrowserFixup.exe, ChromeFixup.exe, HttpDownload.exe, ToolKit.exe), indicating that the malware might be spread through malicious ads that disguise it as legitimate applications.

On the aNotepad note-taking platform, the malware stores a base64-encoded .NET file for Windows, masquerading as an Adobe product. As aNotepad is a legitimate service, it does not trigger alarms from security solutions and is not included in block lists, enabling attackers to conceal the infection process more effectively.

When WogRAT is initially executed on a victim’s computer, it tends to go unnoticed by antivirus software because it lacks any overtly malicious functions. Instead, it contains an encrypted downloader for malicious code that is compiled and executed in real time. This downloader retrieves another malicious .NET binary from aNotepad, encoded in base64, leading to the loading of a DLL that constitutes the actual WogRAT malware.

WogRAT abuses note-taking services aNotepad

Once infected, WogRAT compiles a basic profile of the system and sends it to its command-and-control server, from which it receives further instructions. The malware has the capability to: execute specific commands, download files from designated URLs, upload specified files to the control server, pause for a predetermined period (in seconds), and terminate its operations.

The Linux variant of WogRAT, provided as an ELF file, shares many similarities with its Windows counterpart. However, it is differentiated by its use of Tiny Shell for network routing, enhanced encryption in communication with the command-and-control server, and the absence of aNotepad integration.

Tiny Shell is an open-source backdoor tool that enables communication and command execution on Linux systems. It is utilized by several hacking groups, including LightBasin, OldGremlin, UNC4540, and the operators of the Linux rootkit Syslogk.

A notable distinction between the versions is that the Linux variant does not use POST requests for command transmission. Instead, it employs a reverse shell established on a specified IP and port to relay commands.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment