Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

PoetRAT Trojan targets energy sector using coronavirus lures

Wind turbine operators are the focus of a new data-stealing campaign.

Is Cookiethief the new malware monster?
0:54

Government and energy sectors are being targeted in a new campaign that weaponizes the coronavirus outbreak. 

On Thursday, Cisco Talos researchers Warren Mercer, Paul Rascagneres and Vitor Ventura published an analysis of a new campaign that deploys PoetRAT, a previously-undiscovered Remote Access Trojan (RAT) striking both the Azerbaijan government and utility companies. 

According to the team, the malware attacks supervisory control and data acquisition (SCADA) systems, commonly used to manage energy networks and manufacturing systems. 

In this case, ICS and SCADA systems relating to wine turbines within the renewable energy sector appear to be of interest to the threat actors behind the campaign, of which their identities are currently unknown. 

Talos says that intended victims receive phishing emails with malicious Microsoft Word documents attached. Three separate phishing attempts have been spotted, including a document labeled "C19.docx," likely a reference to the COVID-19 pandemic; as well as content claiming to be from departments from the Azerbaijan government and India's Ministry of Defense. 

"We believe the adversaries, in this case, want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems," the researchers say.

If opened, a dropper executes through the enabling of malicious macros to deploy PoetRAT -- named so due to references in the code to playwright William Shakespeare. 

See also: This Trojan hijacks your smartphone to send offensive text messages

Rather than being loaded directly as an executable, the malware is written to disk as an archive named "smile.zip." The .zip file contains a Python script and interpreter and the Word macro will check for a sandbox environment -- making the assumption that sandbox hard drives will be smaller than 62GB -- before extraction. If a sandbox environment is detected, the malware is overwritten and deleted. 

Written in Python, the Trojan is made up of two main scripts. The first, "frown.py," is used to communicate with the malware's command-and-control (C2) server. TLS encryption is used to send information from an infected machine to the Trojan's operators. 

The second script, "smile.py," executes a range of other commands, such as directory listing, exfiltrating PC information, taking screenshots, copying, moving, and archiving content, uploading stolen files, and killing, clearing, or terminating processes. It is also possible for PoetRAT to seize control of webcams and steal passwords.

CNET: Investing and saving during coronavirus: Here's what to prioritize

An interesting tool noticed by the researchers is dog.exe, a .NET malware module that monitors hard drive paths and automatically exfiltrates data via either an email account or FTP.

To maintain persistence, the malware creates registry keys and may make modifications to the registry itself to bypass sandbox evasion checks. 

"This could be used for hosts already infected to ensure they do not re-check this environment," Talos says. 

TechRepublic: Coronavirus: What business pros need to know

In addition to the main Trojan attack wave, the team also found a phishing website hosted on the same infrastructure that mimics the webmail system of the Azerbaijan government.

"The actor monitored specific directories, signaling they wanted to exfiltrate certain information on the victims," Talos says. "Based on our research, the adversaries may have wanted to obtain important credentials from officials in Azerbaijan's government. The attacker wanted not only specific information obtained from the victims but also a full cache of information relating to their victim."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0