Malware can make use of Notepad service to attack systems such as Windows and Linux since Notepad is a widely-used application found on most operating systems.
Through malware, it is possible to use this tool to exploit system resources and user privileges thereby allowing unauthorized access or execution of malicious codes.
There is also less suspicion from clients concerning the legitimacy of undetected malware payloads that may be carried by well-known software like Notepad.
Recently cybersecurity analysts at ASEC discovered that threat actors are actively using new WogRAT malware which exploits the notepad service to exploit Windows and Linux systems.
Technical analysis
AhnLab’s team uncovered a backdoor trojan spreading through aNotepad, an online notepad service. The malicious code targets Windows (PE format) and Linux (ELF format) systems.
This malware is dubbed ‘WogRAT’ due to the ‘WingOfGod’ string used by its creators, and since it’s a multi-platform threat so, it poses a serious risk.
aNotepad platform (Source – ASEC)
WogRAT has been active since late 2022 and is a multi-platform threat. For Windows, it masquerades as utilities like “flashsetup_LL3gjJ7.exe” or “BrowserFixup.exe” to lure victims.
While Linux attacks are unconfirmed, VirusTotal data suggests Asian nations like Hong Kong, Singapore, China, and Japan are prime targets of this cunning malware campaign.
Dissecting a Windows WogRAT sample masquerading as an Adobe tool, we find a .NET-based Chrome utility guise concealing an encrypted downloader.
Encrypted source code (Source – ASEC)
Upon execution, it self-compiles and loads a DLL to fetch and Base64-decode strings from aNotepad which reveals an obfuscated .NET binary payload cached on the online notepad service.
Command downloads from C&C contain instructions like type, task ID, and associated data. For instance, an ‘upldr’ task would read ‘C:\malware.exe’ and FTP upload it to the server.
While the analyzed sample uses a test URL lacking upload capability, other WogRAT variants likely leverage this file exfiltration functionality.
AhnLab has uncovered a Linux variant with the same C&C infrastructure as its Windows equivalent even though WogRAT’s initial vector is unclear.
Just like Rekoobe, this strain uses activities from Tiny SHell malware that is open-source. When it runs, it disguises itself under the name “[kblockd]”, collects system metadata for exfiltration, and behave exactly as the Windows version of it does.
Linux payloads lack download functionality but encrypt C&C communications before transmission. Rather than receiving commands directly, Linux WogRAT fetches a reverse shell address from C&C and connects to receive instructions.
This suggests the threat actor has a Tiny SHell server infrastructure, as WogRAT incorporates routines and C&C mechanisms from this open-source malware, including AES-128 encryption via HMAC SHA1 and unaltered 0x10 byte integrity checks.
AhnLab discovered WogRAT malware targeting Windows and Linux. Threat actors may disguise malicious files as utilities by luring downloads.
Researchers recommended avoiding untrusted executables and getting programs from official sources. Not only that even they also recommended updating V3 to prevent infections.