WogRAT Malware Targets Windows and Linux Systems Through Exploited Notepad Service

Malware Attack

Security analysts at ASEC have recently uncovered a concerning trend where threat actors are utilizing a new strain of malware, dubbed WogRAT, to exploit the Notepad service and target both Windows and Linux systems. This exploitation of the widely-used Notepad application presents a serious threat as it allows attackers to leverage system resources and user privileges to gain unauthorized access and execute malicious code.

WogRAT, named for the "WingOfGod" string used by its creators, is a multi-platform threat that has been active since late 2022. The malware is designed to masquerade as legitimate utilities, such as "flashsetup_LL3gjJ7.exe" or "BrowserFixup.exe," to deceive victims on Windows systems. While Linux attacks have yet to be confirmed, data from VirusTotal indicates that countries like Hong Kong, Singapore, China, and Japan are primary targets for this sophisticated malware campaign.

In dissecting a Windows WogRAT sample, security researchers discovered that the malware utilizes a .NET-based Chrome utility guise to conceal an encrypted downloader. Upon execution, the malware self-compiles and loads a DLL to retrieve and decode strings from a notepad, an online notepad service, revealing an obfuscated .NET binary payload.

The commands received from the command-and-control (C&C) server include instructions for tasks like file uploads to designated locations. Additionally, AhnLab has identified a Linux variant of WogRAT with similar C&C infrastructure, although its initial vector remains unclear. This Linux variant behaves similarly to its Windows counterpart, disguising itself under the name "[kblockd]" and collecting system metadata for exfiltration.

While the Windows version of WogRAT incorporates routines and mechanisms from open-source malware like Tiny SHell, the Linux variant fetches a reverse shell address from the C&C server for receiving instructions. This suggests that threat actors behind WogRAT have established a Tiny SHell server infrastructure for managing their malicious operations.

Given the severity of this threat, researchers emphasize the importance of exercising caution when downloading executables and obtaining programs from official sources. They also recommend keeping security software up to date to mitigate the risk of infection. Perimeter81 offers malware protection services that can effectively block various types of malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, safeguarding networks from potential damage and disruption.