One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 6127488 |
| Date de publication | 2022-08-04 10:03:24 (vue: 2022-08-04 18:05:35) |
| Titre | Meet Woody the New Remote Access Trojan |
| Texte | FortiGuard Labs is aware of a report that a new Remote Access Trojan (RAT) called "Woody" has been lurking in the wild for the past year. Reported initial infection vectors include email attachments as well as Microsoft Word documents that leverage the recently patched Follina vulnerability (CVE-2022-30190). Once a victim is infected, Woody RAT collects and sends specific information to its Command-and-Control (C2) server and performs various activities based on the remote commands it receives.Why is this Significant?This is significant because Woody RAT reportedly was used in real world attacks over the past year, yet the malware came to light only recently. Initial infection vectors include leveraging the infamous Follina vulnerability (CVE-2022-30190) in which a patch was released on June 2022 and has been used in various attacks.What is Woody RAT?Woody is a Remote Access Trojan (RAT) that performs activities according to the remote commands it receives from its C2 server.Reported initial infection vectors include email attachments and usage of Microsoft Word that leverages the Follina vulnerability (CVE-2022-30190). In the former case, email attachments are ZIP files containing a Woody RAT executable file, which victims need to run manually to start infection process. In the latter case, victims receive weaponized Microsoft Word files which abuse the MSDT URI scheme to download and run Woody RAT. For reference, FortiGuard Labs previously released an Outbreak Alert and Threat Signal on CVE-2022-30190. See the Appendix for links to "MSDT Follina" and "Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited in The Wild".Once Woody RAT compromises a victim's machine, it collects information such as OS, computer name and installed Anti-virus solutions and sends data to its C2 server. The RAT is capable of performing various activities on a compromised machine that include uploading and download files, listing up directories and capturing screenshots upon receiving remote commands.Has the Vendor Released a Patch for the Follina vulnerability (CVE-2022-30190) Used by Woody RAT?Yes. Microsoft released a patch as part of regular June 2022 MS Tuesday patch release.What is the Status of Coverage?FortiGuard Labs detects known Woody RAT and associated samples with the following AV signatures:W32/WoodyRAT.A!trMSOffice/Agent.AAP!trW64/Agent.OS!trW64/Reflo.WD!trMalicious_Behavior.SBPossibleThreat.PALLAS.HW32/PossibleThreatIn relation with CVE-2022-30190, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:MS.Office.MSHTML.Remote.Code.Execution.All network IOCs associated with this attack are blocked by the WebFiltering client. |
| Envoyé | Oui |
| Condensat | 2022 30190 aap abuse access according activities alert all anti appendix are associated attachments attack attacks aware based because been behavior blocked called came capable capturing case client code collects command command:ms commands compromised compromises computer contain containing control coverage cve data day detect detects directories documents download email executable execution exploited file files follina follina: following former fortiguard from has html hw32/possiblethreatin include infamous infected infection information initial installed iocs its june known labs latter leverage leverages leveraging light links listing lurking machine malware manually meet microsoft msdt mshtml name need network new office once only outbreak over pallas part past patch patched performing performs previously process rat real receive receives receiving recently reference regular relation release released remote report reported reportedly retrieval run samples sbpossiblethreat scheme screenshots see sends server signal signature signatures:w32/woodyrat significant solutions specific start status such threat trmalicious trmsoffice/agent trojan trw64/agent trw64/reflo tuesday uploading upon uri usage used various vectors vendor victim victims virus vulnerability weaponized webfiltering well what which why wild will windows woody word world year yet zip |
| Tags | Malware Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.