Threat Signal Report

Meet Woody the New Remote Access Trojan

description-logo Description

FortiGuard Labs is aware of a report that a new Remote Access Trojan (RAT) called "Woody" has been lurking in the wild for the past year. Reported initial infection vectors include email attachments as well as Microsoft Word documents that leverage the recently patched Follina vulnerability (CVE-2022-30190).


Once a victim is infected, Woody RAT collects and sends specific information to its Command-and-Control (C2) server and performs various activities based on the remote commands it receives.


Why is this Significant?

This is significant because Woody RAT reportedly was used in real world attacks over the past year, yet the malware came to light only recently. Initial infection vectors include leveraging the infamous Follina vulnerability (CVE-2022-30190) in which a patch was released on June 2022 and has been used in various attacks.


What is Woody RAT?

Woody is a Remote Access Trojan (RAT) that performs activities according to the remote commands it receives from its C2 server.


Reported initial infection vectors include email attachments and usage of Microsoft Word that leverages the Follina vulnerability (CVE-2022-30190). In the former case, email attachments are ZIP files containing a Woody RAT executable file, which victims need to run manually to start infection process. In the latter case, victims receive weaponized Microsoft Word files which abuse the MSDT URI scheme to download and run Woody RAT.


For reference, FortiGuard Labs previously released an Outbreak Alert and Threat Signal on CVE-2022-30190. See the Appendix for links to "MSDT Follina" and "Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited in The Wild".


Once Woody RAT compromises a victim's machine, it collects information such as OS, computer name and installed Anti-virus solutions and sends data to its C2 server. The RAT is capable of performing various activities on a compromised machine that include uploading and download files, listing up directories and capturing screenshots upon receiving remote commands.


Has the Vendor Released a Patch for the Follina vulnerability (CVE-2022-30190) Used by Woody RAT?

Yes. Microsoft released a patch as part of regular June 2022 MS Tuesday patch release.


What is the Status of Coverage?

FortiGuard Labs detects known Woody RAT and associated samples with the following AV signatures:


W32/WoodyRAT.A!tr
MSOffice/Agent.AAP!tr
W64/Agent.OS!tr
W64/Reflo.WD!tr
Malicious_Behavior.SB
PossibleThreat.PALLAS.H
W32/PossibleThreat


In relation with CVE-2022-30190, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:


MS.Office.MSHTML.Remote.Code.Execution.


All network IOCs associated with this attack are blocked by the WebFiltering client.

Appendix

Woody RAT: A new feature-rich malware spotted in the wild (Malwarebytes)

MSDT Follina (Fortinet)

Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild (Fortinet)

CVE-2022-30190 (MITRE)



Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.