New PoetRAT Hits Energy Sector With Data-Stealing Tools

2020-04-16 21:30

A never-before-seen remote access trojan has been discovered in a set of campaigns targeting the energy sector, with a slew of post-exploitation tools to log keystrokes, record footage from webcams and steal browser credentials.

Researchers called the malware "PoetRAT" due to various references to sonnets by English playwright William Shakespeare throughout the macros, which was embedded in malicious Word documents that were part of the campaign.

"Talos identified multiple lure documents during this campaign which all made use of Visual Basic macros and then Python to carry out their attacks on victims. The adversaries' targets are very specific and appear to be mostly Azerbaijan organizations in the public and private sectors, specifically ICS and SCADA systems in the energy industry."

"We cannot specifically say if there was a similar phishing campaign for the energy sector also.

During the campaign, the operator deployed additional post-exploitation tools on the targeted systems, including a tool, "Dog.exe," that monitors hard drive paths to exfiltrate the information via an email account or a File Transfer Protocol, depending on the configuration.

News URL

https://threatpost.com/new-poetrat-hits-energy-sector-with-data-stealing-tools/154876/

#energy #tools