WogRAT Malware Exploits Online Notepad Service for Covert Operations

A new malware strain, named ‘WogRAT,’ has emerged, targeting both Windows and Linux systems by leveraging an online notepad platform called ‘aNotepad’ as a covert channel for storing and retrieving malicious code. According to researchers, who named the malware ‘WingOfGod,’ it has been active since late 2022, with a focus on countries like Japan, Singapore, China, Hong Kong, and other Asian regions.

The exact distribution methods of WogRAT are unknown. However, the names of the sampled executables suggest they are disguised as popular software, such as ‘flashsetup_LL3gjJ7.exe,’ ‘WindowsApp.exe,’ ‘WindowsTool.exe,’ ‘BrowserFixup.exe,’ ‘ChromeFixup.exe,’ ‘HttpDownload.exe,’ and ‘ToolKit.exe,’ indicating they may be distributed via malvertising or similar schemes.

One of the notable aspects of WogRAT is its use of aNotepad, a legitimate online service, to host a base64-encoded .NET binary of the Windows version of the malware, masquerading as an Adobe tool. This allows the malware to evade detection by security tools that do not blocklist aNotepad.

When initially executed, WogRAT appears benign as it lacks any overtly malicious functionality. However, it contains encrypted source code for a malware downloader that is compiled and executed dynamically. This downloader retrieves a further malicious .NET binary from aNotepad, which then loads a DLL, serving as the WogRAT backdoor.

The Windows version of WogRAT sends basic system profile information to its command-and-control (C2) server and receives commands for execution. The Linux variant of WogRAT, in ELF form, shares similarities with its Windows counterpart but uses Tiny Shell for routing operations and additional encryption in its communication with the C2.

Unlike the Windows version, the Linux variant of WogRAT does not abuse aNotepad for hosting and retrieving malicious code. Instead, commands are issued through a reverse shell created on a specified IP and port.

The analysts have not determined the distribution method of the Linux ELF binaries. The Linux variant also distinguishes itself by not leveraging aNotepad for hosting malicious code.

For a full list of indicators of compromise (IoCs) related to WogRAT, refer to ASEC’s report. The emergence of WogRAT underscores the evolving tactics used by threat actors to evade detection and compromise systems.

To prevent WogRAT infections, ensure your antivirus is up-to-date and regularly scan your system. Be cautious of executable files from unknown sources, and monitor your system for unusual activity. Consider using a reputable cybersecurity solution to protect against malware.