WogRAT Malware Exploits aNotepad (Windows, Linux)

AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. Said malware supports both the PE format that targets the Windows system and the ELF format that targets the Linux system. As the threat actor used the string ‘WingOfGod’ during the development of the malware, it is classified as WogRAT.

Figure 1. aNotepad platform used in the attack

1. Distribution Cases

It is assumed that the WogRAT has continuously been used in attacks since late 2022 until recently. While attacks against Linux have not been found, it is assumed that in the case of malware targeting Windows systems, attacks are conducted by disguising themselves as legitimate utility tools based on filenames upon collection, prompting users into downloading malware.

Malware strains disguised their names as legitimate utility tools such as “flashsetup_LL3gjJ7.exe“, “WindowsApp.exe“, “WindowsTool.exe“, “BrowserFixup.exe“, “ChromeFixup.exe“, “HttpDownload.exe“, and “ToolKit.exe“. Based on the country information collected by VirusTotal, it can be predicted that the WogRAT’s main targets are Asian countries such as Hong Kong, Singapore, China and Japan.

2. WogRAT (Windows)

Out of many samples, one of the WogRAT malware for Windows will be used for further explanation. First, the distributed malware disguised as Adobe tool was developed using .NET. The class name shows that it is a Chrome web browser tool, but it is actually a disguised file containing the source code of encrypted downloader malware.

Figure 2. Encrypted source code

When the malware is run, it first compiles the source code and loads it. The loaded DLL is responsible for downloading strings from the aNotepad platform, decrypting them using the Base64 algorithm, and then loading them. Upon accessing the aNotepad URL, you can find the .NET binary encrypted in Base64 saved in the notepad as a string.

Figure 3. Strings saved in aNotepad and decryption routine to load them

The DLL that is ultimately loaded is a backdoor malware named WingsOfGod. When WogRAT is run for the first time, it collects basic information of the infected system and sends them to the C&C server. The malware then supports commands such as executing commands, sending results, downloading files, and uploading these files.

Figure 4. WingOfGod RAT’s main routine

WogRAT sends data in the following structure via POST requests based on initial connection, command download, and command execution results. For example, the following data is sent when user access aNotepad for the first time.

• Data sent on initial connection (example): “act=on&bid=4844-1708721090438&name=TestPC\TestUser”

Table 1. Structure of data send

When a command is downloaded, it receives information such as the types of command, task ID, and data related to the commands. For example, the following data is the command with task named ‘upldr’ that reads the file in ‘C:\malware.exe’, and sends it to the C&C server.

• Commands received (example): “task_id=upldr&task_type=3&task_data=C:\malware.exe”

Table 2. Command structure

Table 3. Supported commands

FTP protocol is used for file upload. Considering that the URL for file uploading is test URL, the malware used for analysis does not support this features. However, it can be assumed that the other malware strains are using these features.

Figure 5. File upload commands that use FTP protocol

3. WogRAT (Linux)

Although the initial distribution method was not found, AhnLab discovered a WogRAT malware targeting the Linux system while looking at malware strains using the same C&C server. The Linux version of WogRAT is similar to the Windows version and uses the open source malware Tiny SHell’s routine just like Rekoobe backdoor.

When WogRAT is executed, it changes its name as a legitimate process like other malware strains to avoid detection. The WogRAT malware strains found so far changed all of their names into “[kblockd]”. Afterward, it collects and sends basic information from the infected system just like the Windows version.

Figure 6. Routine similar to the Windows version

• Data sent on initial connection (example) : “Online#beacon_id=1407-1708746837279&pid=1407&hostname=testPC&ip=xxx.xxx.xxx.xxx&uid=0&username=root”

Table 4. Structure of the data sent

The structure of the data sent slightly differs from the Windows version. However, the data received from the C&C server uses the same structure of “task_id”, “task_type”, and “task_data.” Apart from the download command being missing, the commands supported are almost identical to the Windows version. However, one difference between the Windows and Linux version can be found in how the strings are used. For Windows, the strings are used as they are when communicating with the C&C server. For Linux, they are encrypted once more before it is sent to the C&C server.

Table 5. Supported commands

The main characteristic of WogRAT’s Linux version is how it receives its commands. Instead of directly receiving commands from the C&C server, it receives the address from the server in charge of reverse shell and connects to this address to receive commands. The threat actor is likely to have a Tiny SHell server set up in order for WogRAT to connect and receive commands. This can be seen from how Tiny SHell was distributed instead of WogRAT from the same address, or how both share the same routine from reverse shell.

The threat actor also used Tiny SHell’s C&C communication method and reverse shell features when making WogRAT. This means that both WogRAT and Tiny SHell use the AES-128 key created from HMAC SHA1 algorithms to encrypt C&C communications and use the 0x10 byte value from the integrity scan without altering its value.

Figure 7. Routine and data identical to Tiny SHell

However, different password strings are used between the two malware strains, with “03c7c0ace395d80182db07ae2c30f034” for WogRAT and “194112c60cb936ed1c195b98142ff49d” for Tiny SHell.

4. Conclusion

Recently, AhnLab found the distribution of WogRAT malware strains that targeted both Windows and Linux systems. Although the specific attack vector has not been found, the attackers are likely using collected file names and disguising them as legitimate utility programs to prompt downloads.

Users must be wary when running executables from file sharing sites. It is recommended to download products such as utility programs and games from their official websites. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Downloader/Win.WogRAT.R636364 (2024.02.25.00)
– Backdoor/Win.WogRAT.C5593109 (2024.02.25.00)
– Backdoor/Win.WogRAT.C5593110 (2024.02.25.00)
– Backdoor/Win.WogRAT.R636365 (2024.02.25.00)
– Trojan/Win.Generic.C5387450 (2023.02.24.03)
– Backdoor/Linux.Rekoobe.67840 (2023.07.13.00)
– Backdoor/Linux.TinySHell.63712 (2024.02.26.03)

AMSI Detection
– Backdoor/Win.WogRAT.C5593109 (2024.02.25.00)

IoC
MD5
– 5769d2f0209708b4df05aec89e841f31 : WogRAT Downloader (WindowsTool.exe)
– 655b3449574550e073e93ba694981ef4 : WogRAT Downloader (WindowsApp.exe)
– 929b8f0bdbb2a061e4cf2ce03d0bbc4c : WogRAT Downloader (flashsetup_LL3gjJ7.exe)
– da3588a9bd8f4b81c9ab6a46e9cddedd : WogRAT Downloader (BrowserFixup.exe)
– fff21684df37fa7203ebe3116e5301c1 : WogRAT Downloader (ToolKit.exe)
– e9ac99f98e8fbd69794a9f3c5afdcb52 : WogRAT Downloader (HttpDownload.exe)
– 290789ea9d99813a07294ac848f808c9 : WogRAT – Windows (WingsOfGod.dll)
– 3669959fdb0f83239dba1a2068ba25b3 : WogRAT – Windows (WingsOfGod.dll)
– f97fa0eb03952cd58195a224d48f1124 : WogRAT – Windows (WingsOfGod.dll)
– f271e0ae24a9751f84c5ae02d29f4f0e : WogRAT – Windows (WingsOfGod.dll)
– 1341e507f31fb247c07beeb14f583f4f : WogRAT – Windows (ChromeFixup.exe)
– 7bcfea3889f07f1d8261213a77110091 : Tiny SHell (dddddd_oo)
– 1aebf536268a9ed43b9c2a68281f0455 : WogRAT – Linux (abc)
– a35c6fbe8985d67a69c918edcb89827e : WogRAT – Linux (a14407a2)

C&C URL
– w.linuxwork[.]net:443
– linuxwork[.]net:80
– hxxps://t0rguard[.]net/c/
– hxxps://w.newujs[.]com/c/
– hxxps://newujs[.]com/tt.php?fuckyou=1

Download URL
– hxxp://newujs[.]com/dddddd_oo
– hxxp://newujs[.]com/abc
– hxxp://newujs[.]com/a14407a2
– hxxps://js.domaiso[.]com/jquery.min-2.js
– hxxps://jp.anotepad[.]com/note/read/b896abi9
– hxxp://newujs[.]com/cff/wins.jpg

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.