WogRAT Backdoor: The Stealthy Malware Lurking in Online Notepads

WogRAT backdoor
aNotepad platform used in the attack

A newly discovered backdoor malware dubbed ‘WogRAT’ is raising alarms for both Windows and Linux users. Discovered by the AhnLab Security Intelligence Center (ASEC), WogRAT stands out due to its ability to target both popular operating systems.

Spreading Its Wings

WogRAT appears to be masquerading as legitimate utility tools on file-sharing sites, tricking unsuspecting users into downloading it. Interestingly, the malware is disguised with enticing names like “BrowserFixup.exe” and “ChromeFixup.exe”. Analysis by ASEC suggests WogRAT has been active since late 2022 and appears to focus primarily on targets in Asian countries.

The Windows Variant: A .NET Disguise

aNotepad platform used in the attack | Image: ASEC

The Windows version of WogRAT cleverly disguises itself as an Adobe tool and is written in .NET. Its deceptive tactics include:

  • Embedded Source Code: The initial malware contains encrypted downloader source code. Once executed, it compiles this code and loads it.
  • aNotepad Trickery: The downloaded DLL then pulls an encrypted .NET binary, encoded in Base64, from a seemingly innocent aNotepad file.
  • The ‘WingsOfGod’ Payload: The final payload is the true backdoor malware, called WingsOfGod.

Capabilities of the Windows WogRAT

Upon infection, WogRAT gathers basic system information and sends it to its command and control (C&C) server. It then awaits further instructions, which include:

  • Command Execution: Running arbitrary commands on the compromised system.
  • File Exfiltration: Uploading files to the C&C server (likely using FTP).
  • File Download: Downloading additional tools or payloads.

The Linux Variant: Tiny SHell Connection

The Linux version of WogRAT is equally dangerous and shares some traits with the ‘Tiny SHell’ backdoor:

  • Process Masquerade: It disguises itself as a legitimate process, frequently using the name “[kblockd]”.
  • Reverse Shell: Rather than directly receiving commands from the C&C, it connects to a separate server for a reverse shell, giving attackers interactive control.
  • Encryption: It encrypts communications differently from the Windows version, adding another layer of stealth.

Protecting Yourself

To avoid falling victim to WogRAT, remember these crucial tips:

  • Be Source-Savvy: Only download software from official websites or trusted repositories.
  • Trust but Verify: Be suspicious of executable files, even if the names seem familiar, especially on file-sharing sites.
  • Keep Systems Updated: Ensure your operating system and applications are patched with the latest security updates.
  • Strong Antivirus: Use a reputable antivirus solution that can detect and neutralize malware.