Threat Analysis Unit - Threat Intelligence Notification
Title: WogRAT
Summary
WogRAT, also known as ‘WingOfGod’, is a backdoor malware that could collect sensitive information, install additional malicious payloads or execute commands on the compromised machines. WogRAT may masquerade as legitimate software and be distributed via spear-phishing, malvertising and many any other malicious techniques.
Behavioral Summary
The WogRAT downloader is a .NET binary and usually would masquerade as a legitimate software, however, it actually contains Base64-encoded code to execute additional malicious payloads. It utilizes a free online notepad platform ‘aNotepad’ to store the WogRAT backdoor binary source code. Upon execution of the downloader, it would compile the source code and load the WogRAT DLL binary.
It could also create a shortcut file and store in the Startup folder as persistence, for example:
c:\users\{name}\appdata\roaming\microsoft\windows\start menu\programs\startup\timerstartup.lnk
The shortcut file contains a PowerShell command to load the malicious payload:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" start-process -window hidden -filepath C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\{name}\AppData\Local\ms.tmp
The WogRAT DLL binary would collect system information like the computer name and username to send to the C&C Server. In addition, it could also receive commands to perform malicious task such as upload and download files.
Figure 1: Snippet of WogRAT code
Customer Protection
VMware Carbon Black Cloud Endpoint Standard
The recommended policy for Endpoint Standard at a minimum is to block all types of malwares from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from Carbon Black’s PSC reputation service. The PSC Threat feeds will detect the known hashes for this malware.
Sensors running with version 3.8 or greater will have Core Prevention rules to alert or block TTPs that are often used by threat actors such as Advanced Scripting Prevention, Credential Theft, Privilege Escalation protection.
Otherwise, Endpoint Standard could alert on this malware with the following rules.
| Unknown application or process |
Invokes an untrusted process
Invokes a command interpreter
Communicates over the network |
Terminate process |
VMware Carbon Black App Control
The most effective way of blocking this malware is by running App Control in High or Medium enforcement. Other than that, customers in low enforcement can enable the following Rapid Config as additional layer of protection to prevent and alert on malware that executes during different phase of attacks:
- Browser Protection
- Microsoft Office Protection
- PowerShell Protection
- Ransomware Protection
- Reconnaissance and Exfiltration Protection
- Suspicious Command Line Protection
- Suspicious Application Protection
- WMI Protection
Implementation: As always, our best-practice recommendation is to create all custom rules in “Report” mode first, assess for false positives, and create any higher ranking execute allow rules to prevent legitimate blocks. After confirming no false positives in your environment, you can then change to Block.
Customer Action: Ban known hashes from the IOC in environment
VMware Carbon Black EDR and Cloud Enterprise EDR
The PSC Threat Feeds will detect the known hashes for this malware. Customers can ban known hashes as well, which are located in the IOC section of this report. Many existing queries that are located in the MITRE ATT&CK, SANS, CB Endpoint Visibility, and CB Advanced Threat feeds will also alert on characteristics associated with these families.
| Execution - PowerShell Downgrade Attack Detected |
VMware Carbon Black EDR:
(modload:windows\assembly\nativeimages_v*_32\*\*\system.management.automation.ni.dll or modload:windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\*\System.Management.Automation.dll) and parent_name:powershell.exe and childproc_name:csc.exe and -(cmdline:windows\ccmcache or domain:chocolatey.org)
Cloud Enterprise EDR:
((modload_name:windows\\assembly\\nativeimages_v*_32\\*\\*\\system.management.automation.ni.dll OR modload_name:windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\*\\System.Management.Automation.dll) AND parent_name:powershell.exe AND childproc_name:csc.exe AND -(process_cmdline:windows\\ccmcache OR netconn_domain:chocolatey.org)) -enriched:true
|
| Persistence - AMSI - Windows Service Creation from User Locations |
Cloud Enterprise EDR:
(scriptload_content:New-Service OR fileless_scriptload_cmdline:New-Service) AND ((scriptload_content:\\users\\ OR fileless_scriptload_cmdline:\\users\\) OR (scriptload_content:\\ProgramData\\ OR fileless_scriptload_cmdline:\\ProgramData\\) OR (scriptload_content:\\Temp\\ OR fileless_scriptload_cmdline:\\Temp\\)) AND -(scriptload_content:"ConfigPaths for WindowsService" OR fileless_scriptload_cmdline:"ConfigPaths for WindowsService") |
| Execution - PowerShell Execution via Module Load Detected |
VMware Carbon Black EDR:
(modload:system.management.automation*.dll -process_name:powershell.exe -process_name:mscorsvw.exe -process_name:parity.exe -process_name:repmgr*.exe -process_name:swjobengineworker2.exe -process_name:monitoringhost.exe -process_name:sdiagnhost.exe)
Cloud Enterprise EDR:
((modload_name:system.management.automation*.dll -process_name:powershell.exe -process_name:mscorsvw.exe -process_name:parity.exe -process_name:repmgr*.exe -process_name:swjobengineworker2.exe -process_name:monitoringhost.exe -process_name:sdiagnhost.exe)) -enriched:true
|
| Persistence - Shortcut modification in Windows Start Menu Startup |
VMware Carbon Black EDR:
(filemod:appdata\roaming\microsoft\windows\start\ menu\programs\startup*lnk)
Cloud Enterprise EDR:
((filemod_name:appdata\\roaming\\microsoft\\windows\\start\ menu\\programs\\startup*lnk)) -enriched:true |
Implementation: As always, our best practice recommendation is to tune for any false positives before creating new watchlists.
Customer Action: Test and Deploy Watchlist and ban known hash values. For any hits, investigate the file modifications, network connections, cross process injection(s) and child processes.
MITRE ATT&CK TIDs
| T1204 |
Execution |
User Execution |
| T1059 |
Execution |
Command and Scripting Interpreter |
| T1047 |
Execution |
Windows Management Instrumentation |
| T1055 |
Privilege Escalation |
Process Injection |
| T1547.001 |
Persistence, Privilege Escalation |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| T1562.001 |
Defense Evasion |
Impair Defenses: Disable or Modify Tools |
| T1027 |
Defense Evasion |
Obfuscated Files or Information |
| T1036 |
Defense Evasion |
Masquerading |
| T1564.003 |
Defense Evasion |
Hide Artifacts: Hidden Window |
| T1070.004 |
Defense Evasion |
Indicator Removal: File Deletion |
| T1112 |
Defense Evasion |
Modify Registry |
| T1057 |
Discovery |
Process Discovery |
| T1082 |
Discovery |
System Information Discovery |
| T1083 |
Discovery |
File and Directory Discovery |
| T1016 |
Discovery |
System Network Configuration Discovery |
| T1041 |
Exfiltration |
Exfiltration Over C2 Channel |
Indicators of Compromise (IOCs)
| 2032e976f4b44723895de17d7ed797d1464e93ac8afeb6ec069871518d01ca02 |
SHA256 |
WogRAT Downloader |
| 98db00ede0e4678737fb911797fd7546adc2ca4b9191094fb6ea1f6fbab6f6fb |
SHA256 |
WogRAT Downloader |
| dadd2343e83e9ca3c663a2528b51b7eb0bb49c4993a0f2eceebca8d9b90c52b5 |
SHA256 |
WogRAT Downloader |
| ddeb40709841f3084a2b601db51285548cfe276f91bffca43dedfc0e5c791bde |
SHA256 |
WogRAT Downloader |
| 9d67758c488ba611a7cfc13cb7f24e975d7075f43d0abdfaab89048db8a8c874 |
SHA256 |
WogRAT Downloader |
| 0745f0421c06ac435c89a7a9f1831b9423e3af4be52eeb1153985a6daeaf66c2 |
SHA256 |
WogRAT Downloader |
| 685636f918689b63f3a6ede86c29dc70d12a16c48f9396cd7446d4022063bf00 |
SHA256 |
WogRAT Malware |
| 883010b1a483fd3a3c698a573762db4030f1ea98b1fbfa7b208bab74310ace39 |
SHA256 |
WogRAT Malware |
| d3d4cfe7bc2213f7e971e8757f8fa977a6dea34b1d88cf3184879e6dbb048b78 |
SHA256 |
WogRAT Malware |
| f4843dc18a14b8953d1c56d42780eac89f0252f6 |
SHA1 |
WogRAT Downloader |
| 5e3ec55c3b8c39a2b1cd0d39e0188a35322be814 |
SHA1 |
WogRAT Downloader |
| 4682541e06890d7271d1c26d1d4579094e50b067 |
SHA1 |
WogRAT Downloader |
| 664ec660a8c553dec11325c04fa012d569a2335e |
SHA1 |
WogRAT Downloader |
| e0ed04cf515db82c826c3651db59e13c375b068c |
SHA1 |
WogRAT Downloader |
| 2de711c5adc3b445649109dd5db1c765092e56af |
SHA1 |
WogRAT Downloader |
| 0dafc7f7a92951ad5b7f650b01b8d5ef03f18ae7 |
SHA1 |
WogRAT Malware |
| fc52025afc9a69d056e47250198b99100ef0de8d |
SHA1 |
WogRAT Malware |
| 2cf68fe9d6f1e23a219ebd277e49f4b2717a9afd |
SHA1 |
WogRAT Malware |
| 5769d2f0209708b4df05aec89e841f31 |
MD5 |
WogRAT Downloader |
| 655b3449574550e073e93ba694981ef4 |
MD5 |
WogRAT Downloader |
| 929b8f0bdbb2a061e4cf2ce03d0bbc4c |
MD5 |
WogRAT Downloader |
| da3588a9bd8f4b81c9ab6a46e9cddedd |
MD5 |
WogRAT Downloader |
| fff21684df37fa7203ebe3116e5301c1 |
MD5 |
WogRAT Downloader |
| e9ac99f98e8fbd69794a9f3c5afdcb52 |
MD5 |
WogRAT Downloader |
| 290789ea9d99813a07294ac848f808c9 |
MD5 |
WogRAT Malware |
| 3669959fdb0f83239dba1a2068ba25b3 |
MD5 |
WogRAT Malware |
| 1341e507f31fb247c07beeb14f583f4f |
MD5 |
WogRAT Malware |
About TAU-TIN
TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.
To receive future notifications, navigate to the TAU-TIN label on UeX and then click Subscribe.
Attachment(s): 29639_iocs.csv#TAU-TIN