The WogRAT backdoor exploits a popular online notepad to evade detection.
In recent months, a new malware called WogRAT has been actively spreading through cyberspace, targeting users of the Windows and Linux operating systems.
Researchers at AhnLab Security (ASEC) have discovered that WogRAT, so named because of the string "WingOfGod" ("wing of God") in the malicious code, has been active since the end of 2022 and mainly attacks users in Japan, Singapore, China, Hong Kong and other Asian countries.
Methods of distributing malware are still unknown, but executable files are often disguised as popular programs, which indicates the possible use of malvertising methods.
A feature of the latest wave of WogRAT distribution is the use of the online service aNotepad to store a base64-encoded binary file of the Windows version of the malware. This approach avoids suspicion from security tools and simplifies the infection process.
After running on an infected device, WogRAT downloads and executes an additional malicious binary file, also encoded in base64 on aNotepad, which ultimately leads to the activation of the backdoor of the same name.
The WogRAT backdoor supports executing commands, uploading and sending files, and can also perform other actions on command from the management server.
The Linux version of the malware is distinguished by the use of Tiny Shell for routing operations and additional encryption in communication with the management server. Attackers do not use the aNotepad service to infect Linux systems.
ASEC analysts said that a full list of WogRAT-related compromise indicators is available in their report.
The results of the study highlight the need for increased vigilance when downloading and installing software from the Internet, as well as the importance of using reliable cybersecurity tools to protect against such threats.
In recent months, a new malware called WogRAT has been actively spreading through cyberspace, targeting users of the Windows and Linux operating systems.
Researchers at AhnLab Security (ASEC) have discovered that WogRAT, so named because of the string "WingOfGod" ("wing of God") in the malicious code, has been active since the end of 2022 and mainly attacks users in Japan, Singapore, China, Hong Kong and other Asian countries.
Methods of distributing malware are still unknown, but executable files are often disguised as popular programs, which indicates the possible use of malvertising methods.
A feature of the latest wave of WogRAT distribution is the use of the online service aNotepad to store a base64-encoded binary file of the Windows version of the malware. This approach avoids suspicion from security tools and simplifies the infection process.
After running on an infected device, WogRAT downloads and executes an additional malicious binary file, also encoded in base64 on aNotepad, which ultimately leads to the activation of the backdoor of the same name.
The WogRAT backdoor supports executing commands, uploading and sending files, and can also perform other actions on command from the management server.
The Linux version of the malware is distinguished by the use of Tiny Shell for routing operations and additional encryption in communication with the management server. Attackers do not use the aNotepad service to infect Linux systems.
ASEC analysts said that a full list of WogRAT-related compromise indicators is available in their report.
The results of the study highlight the need for increased vigilance when downloading and installing software from the Internet, as well as the importance of using reliable cybersecurity tools to protect against such threats.
