PoetRAT malware: what it is, how it works and how to prevent it | Malware spotlight

Introduction

As new malware constantly emerges, some have been taking advantage of recent events to make it easier to establish a foothold on a targeted system and wage a cyberattack. Once such malware is called PoetRAT, and while it has only targeted one country to date, its targets and methods should be taken seriously by all who are security-minded. 

This article will detail what PoetRAT is, how it works and how to prevent it. Given the recent severity of the COVID-19 pandemic, this malware should serve as an example that not all emails referencing this virus should be trusted.

What is PoetRAT?

Recently discovered by Cisco Talos, PoetRAT is an emerging malware that targets the energy and government sector of Azerbaijan — especially wind turbine facilities. As the name suggests, PoetRAT is a remote access Trojan; it’s named PoetRAT because of recurring references to the playwright William Shakespeare’s works. This malware is not currently known to be associated with any specific attack group, which shows that more still needs to be learned about this malware.

There is no one specific way that PoetRAT spreads. However, research has shown that the malware is distributed via URL, which indicates that users are most likely tricked by either emails or social media messages to download the malware. PoetRAT has been observed downloading other tools for persistence and other purposes, but more on this later.

How PoetRAT works

As mentioned earlier, PoetRAT spreads via emails or social media messages containing malicious URLs. This is not to say that other methods are not being used as well. 

Talos researchers have observed three phishing emails claiming to be from the Azerbaijan government and the Ministry of Defense of India, which contained a malicious Microsoft Word document named “C19.docx.” Attempts like these (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ECGVPMIf_8g/