PoetRAT Resurfaces in Attacks in Azerbaijan Amid Escalating Conflict

PoetRAT Shakespeare

Spear-phishing attacks targeting VIPs and others show key malware changes and are likely linked to the current conflict with Armenia.

A new iteration of the PoetRAT spyware, sporting improvements to operational security, code efficiency and obfuscation, is making the rounds in Azerbaijan, targeting the public sector and other key organizations as the country’s conflict with Armenia over disputed territory intensifies.

Threat intelligence researchers have observed multiple new strikes using the malware that show a “change in the actor’s capabilities” and “maturity toward better operational security,” while maintaining the tactic of spear-phishing to lure users into downloading malicious documents, Cisco Talos researchers revealed in a blog post, published Tuesday.

Threatpost Webinar Promo Retail Security

Click to Register!

PoetRAT scurried onto the scene in April as a region-specific backdoor that acted as the tip of the spear for a greater espionage framework. In that case, the operator deployed additional post-exploitation tools on the targeted systems, including a tool, “dog.exe,” that monitors hard drive paths to exfiltrate the information via an email account or a File Transfer Protocol (FTP), depending on the configuration. Another tool, “Bewmac,” enables the attacker to record the victim’s camera. Researchers also came across other tools, including a keylogger, a browser credential stealer, an open-source framework for privilege escalation (WinPwnage) and an open-source pentesting and network scanning tool (Nmap).

This time around, the attacks use Microsoft Word documents alleged to be from the Azerbaijan government — complete with the National Emblem of Azerbaijan in the top corners — to install PoetRAT in two separate files on victims’ machines, according to researchers Warren Mercer, Paul Rascagneres and Vitor Ventura.

“These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim,” they wrote. However, the malicious document included in the spear-phishing emails drops PoetRAT, with some notable changes to the malware, researchers said.

PoetRAT target

Differences between the previous and most recent campaigns include a change in the programming language used for the malware from Python to Lua script. In previous campaigns, a Python interpreter was installed along with the main payload. This change adds efficiency to the code and reduces the file size of the malware, researchers explained — even if in and of itself it retains a lack of complexity, as demonstrated in earlier campaigns, researchers noted.

“Previous versions of PoetRAT deployed a Python interpreter to execute the included source code, which resulted in a much larger file size compared to the latest version’s switch to Lua script,” they said. “The code is easy to parse — nothing advanced — but our analysis showed us that the campaigns are efficient.”

The latest campaign also features  some new tactics to evade detection, researchers noted. These include a new exfiltration protocol to hide attackers’ activities, as well as “additional obfuscation to avoid detection based on strings or signatures,” including a Base64 and an LZMA compression algorithm, researchers noted.

Developers also have improved the operational security (OpSec) by performing reconnaissance on compromised systems, and by changing the protocol used to download and upload files from FTP to HTTP, they said.

Victims and Conflict

Victims of the campaign include Azerbaijani VIPs and organizations in the public sector, with attackers demonstrating access to sensitive information, such as diplomatic passports belonging to some of the country’s citizens.

Cisco Talos researchers first discovered PoetRAT in April in attacks against energy companies in Azerbaijan that included post-exploitation tools to log keystrokes, record footage from webcams and steal browser credentials. The malware operators also targeted other victims in the public and private Azerbaijan sectors as well as SCADA systems.

Researchers believe the rising conflict between Azerbaijan and Armenia is most likely to blame for the new attacks, according to the post.

“As the geopolitical tensions grow in Azerbaijan with neighboring countries, this is no doubt a stage of espionage with national-security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments,” they wrote.

The malware gets its name from various references to sonnets by English playwright William Shakespeare  that were included throughout the macros that are embedded in the malicious Word documents that were part of the initial campaign. The literature references found in the macros this time around—from the novel “The Brothers Karamazov” by Russian novelist Fyodor Dostoevsky –also may be a veiled reference to the current conflict. Both Azerbaijan and Armenia used to be a part of the former Soviet Union, and Russia has close ties with both countries, and is also a military ally of Armenia.

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles