By Warren Mercer, Paul Rascagneres and Vitor Ventura.
News summary
Azerbaijan government and energy sector likely targeted by an unknown actor.
From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines.
The actor uses Word documents to drop malware that allows remote control over the victims.
The new remote access trojan, dubbed PoetRAT, is written in Python and is split into multiple parts.
The actor collects files, passwords and even images from the webcam, using other tools that it deploys as needed.
Executive summary
Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling "PoetRAT." At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems.The malware is distributed using URLs that mimic some Azerbaijan government domains. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to ..
Support the originator by clicking the read the rest link below.
