17 April 20, 11:24
Quote:A never-before-seen remote access trojan (RAT) has been discovered in a set of campaigns targeting the energy sector, with a slew of post-exploitation tools to log keystrokes, record footage from webcams and steal browser credentials.
Researchers called the malware “PoetRAT” due to various references to sonnets by English playwright William Shakespeare throughout the macros, which was embedded in malicious Word documents that were part of the campaign. Further analysis of the RAT and its distribution reveals a carefully planned, highly targeted campaign against public and the private Azerbaijan sectors as well as SCADA systems.
“We observed an actor using multiple tools and methodologies to carry out their full attack chain,” Warren Mercer, Paul Rascagneres and Vitor Ventura with Cisco Talos, in a Thursday analysis. “Talos identified multiple lure documents during this campaign which all made use of Visual Basic macros and then Python to carry out their attacks on victims. The adversaries’ targets are very specific and appear to be mostly Azerbaijan organizations in the public and private sectors, specifically ICS and SCADA systems in the energy industry.”
At this time, researchers told Threatpost they aren’t sure who is behind the malware, or how they are distributing it. However, given that the initial foothold is established via a malicious Word document, researchers guess that victims are tricked into downloading the document via email or a social media message.
Read more: https://threatpost.com/new-poetrat-hits-...ls/154876/