From Shakespeare to Dostoevsky — How PoetRAT malware targeted the Azerbaijan government as the Nagorno-Karabakh conflict escalated

6 min readOct 9, 2020

The rising conflict between Armenia and Azerbaijan is going out of control, military forces deployed, many militants fighting with each, Dozens of people have been killed and many more wounded since the beginning of the fighting in the Nagorno-Karabakh territory.

The sponsors of the Armenia-Azerbaijan conflict on the Nagorno-Karabakh territory.

Proxy world powers and other countries backing up each of the conflict sides, however, there is a cyberwar happening in the same region since April targeting only Azerbaijan governments (public and private sector), the energy sector (SCADA systems) related to a wind turbine, and other key organizations as the country’s historical conflict with Armenia over disputed territory.

According to research by Talos Cisco, a new malware described by “PoetRAT” has been recently emerged by taking advantage of recent events to make it easier for hackers to establish a solid foothold on many targeted systems and conduct a cyberattack for political leverage or any other reasons. 3 main identified campaigns so far targeted the Azerbaijan government.

First was on the 1st of Feb this year used decoy .docx blurred file (The file was located on hxxp://govaz[.]herokuapp[.]com/content/section_policies.docx). The second campaign in April.2020 after the coronavirus pandemic where used C19.docx unreadable content and some other was clearly written in the Russian language, and the last but not least was the Phishing campaign against some webmail to steal VIPs credentials.

It is worth to mention that most of the Azerbaijanis (.gov) websites don’t use an SSL certificate to secure the connection to the server and this in one way or another made the 4th campaign to take place by the “Anonymous Greece” group, who claimed to conduct a DDoS attack against more than 150 .gov servers including a well known public TV stream and take them all down for hours.

List of the hacked websites

This maybe was a part of a political campaign against the biggest Azerbaijanis supporters, the president of Turkey “Recep Tayyip Erdoğan” over the recent Aegean dispute between both countries. In a private conversation I had with the group, they claimed that the attack ended up without stealing any data and was only to hold the servers back for a while.

What is PoetRAT?

https://www.pinterest.com/pin/776800635715371145/?nic_v2=1a2mJpBq6 — 17th-century French poet Jean de La Fontaine wrote fables like The Council of the Rats”

PoetRAT is a Remote Access Trojan and a highly sophisticated malware written by unknown actors.

PoetRAT discovered recently by the Cisco Talos team.

PoetRAT is an emerging malware that targeted many Azerbaijanis’ infrastructure.

There are 2 main versions of this malware, one has been spread in April.2020 and It’s called by that name because of the recurring literature references to the British poetry and playwright “William Shakespeare” works and the novel “Crime and Punishment” by Russian novelist Fyodor Dostoevsky.

This malware has all kinds of standard and advance features aggregated in a way providing full control of the compromised system for exfiltration, steal pieces of information, and uses FTP (File Transfer Protocol) to get hands-on large amounts of onsite data The Poet code is a state of the art since not currently known to be associated and sealed with any specific cyberattack group even after opening many further investigations around how exactly this malware works, but still, a lot of things hidden or blindly missing spots and need to be learned about.

How does the PoetRAT malware work?

Remote Access Trojan attack (RAT) — Image Source

The malware exposes bugs and vulnerabilities inside Microsoft Word documents to instate a full foothold by using it in Spear-phishing attacks targeting many VIPs and other key valued figures via sending a malicious Word document by email, a social media network message, or any other phishing technique in order to take advantages of the psychological conditions that the targets might be going through to trick them by clicking and downloading the infected document.

When the victims download/open the World document or click on the infected URL, a python payload would be downloaded, a dropper that contains a Visual Basic script enables malicious macros that will execute pre-programmed malicious activities to deploy PeotRAT malware and write itself as a ZIP file “smile.zip” to the targeted disk. The macros will unzip the “smile” file to extract 3 python scripts that have been programmed to collect sensitive data such as files, credentials, or even images from the webcam:

lancher.py script: is actually a scout script, Anti-sandboxing code. It will check the targeted environment before moving further and execute the attack, the script has 2 functions, first is “good_disk_size()” to check if the environment protected by sandboxes that have a disk size smaller than 62GB as condition either to pull up the killing switch to take the poison, to overwrite and delete itself from the entire disk. Or if not, to access the “crack()” function and crack everything, in this case, the other 2 python scripts.

frown.py script is using the TLS algorithm to encrypt communication between the targeted victim server/machine/computer with the PeotRAT command & control (C2) server hosted by the attacker.

smile.py script to execute certain PowerShell commands that allow the C2 server to build a bridge point and transfer sensitive data from/to the victim server using FTP or even take full control over the machine by adding registry keys to the Active Directory (AD).

What are the PoetRAT exploitation tools?

Talos’ researchers found many tools that have been used during PoetRAT campaigns with divers attack technique:

Dog: it’s a .NET malware that can be used to monitor hard drive paths on infected computers and has data exfiltration capabilities through FTP or email accounts.
Bewmac: Webcam session using OpenCV library to capture images or video recording
Browdec.exe: Browser credential stealer
Klog.exe: Keylogger capabilities
WinPwnage: Used for privilege escalation
Mimikatz: Open-source tool used to steal authentication credentials
Pypykatz: Credential harvesting, written in python
voStro.exe: Credential stealer,
Nmap: Used for network scanning
Tre.py: A script written in Python used to create new files and directors on AD of the infected computer.

From Shakespeare to Dostoevsky

New research from Talos Cisco’s threat intelligence published on the 6th of October reviled new unidentified spies have in the recent weeks taking advantage of the weak Azerbaijani government IT networks and infrastructure to access new information related to the diplomatic passports of certain officials inside.

After Azerbaijan’s president “Ilham Aliyev” gave an order to spread troops and go to war field against Armenia over the disputed area, the hackers used this even to their advantage to update the PeotRAT version not only to change the whole programming language from Python to Lua scripts to improve their OpSec by making it harder for identify them using traffic tracing or reverse engineer the attack but also by including new literature references within PeotRAT changing the Cyber theater sense from “William Shakespeare” to instead write some allusions inside their code referred to Fyodor Dostoevsky.

New PoetRAT featuring Dostoevsky quotes from Crime and Punishment

The hackers used the same Spare-phishing technique in April, but this time the physiological game was up to the ground mission, malicious documents have been used in two campaigns to make the targets take the bait again with fake letters, the first in September from the National seal of Azerbaijan and the second in October from State Service of Mobilization and Conscription of Azerbaijan.

PoetRAT has only been involved with Cyberattacks in Azerbaijan and there is no way to stop using this powerful malware or many more in any other area. It’s really important to make sure of updating the IT security infrastructure, servers, and systems for public and private sectors to prevent, or in fact to make it harder for attackers to clone such attacks everywhere else despite that many know it’s a Cat-Mouse game that is really hard to place some controls over.

IOCS

Malicious documents

This includes newly observed hashes and also previously observed PoetRAT hashes.

dc565146cd4ecfb45873e44aa1ea1bac8cfa8fb086140154b429ba7274cda9a2 — Oct 2020 64aeffe15aece5ae22e99d9fd55657788e71c1c52ceb08e3b16b8475b8655059 — Sept 2020
ac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc — April 2020
a703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d — April 2020
208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407 — April 2020
e4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2 — April 2020

C2 Infrastructure

slimip[.]accesscam[.]org

OSQuery

Cisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat.

For specific OSqueries on this threat, click below:

PoetRAT filepath
PoetRAT registry

Hosts

C2 -
dellgenius[.]hopto[.]org

Phishing
gov-az[.]herokuapp[.]com
govaz[.]herokuapp[.]com

Urls

hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=

Samples

208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407
252c5d491747a42175c7c57ccc5965e3a7b83eb5f964776ef108539b0a29b2ee
312f54943ebfd68e927e9aa95a98ca6f2d3572bf99da6b448c5144864824c04d
31c327a3be44e427ae062c600a3f64dd9125f67d997715b63df8d6effd609eb3
37118c097b7dbc64fa6ac5c7b28ebac542a72e926d83564732f04aaa7a93c5e3
4eb83253e8e50cd38e586af4c7f7db3c4aaddf78fb7b4c563a32b1ad4b5c677c
5f1c268826ec0dd0aca8c89ab63a8a1de0b4e810ded96cdee4b28108f3476ce7
66679d83d3993ae79229b1ccff5350e083d6631190eeeb3207fa10c3e572ca75
746fbdee1867b5531f2367035780bd615796ebbe4c9043134918d8f9240f98b9
970793967ecbe58d8a6b54f5ec5fd2551ce922cb6b3584f501063e5f45bdd58a
a3405cc1fcc6b6b96a1d6604f587aee6aafe54f8beba5dcbaa7322ac8589ffde
a703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d
ac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc
b14a8bf8575e46b5356acf3d19667278002935b21b7fc9f62e0957cc1e25209d
b1e7dc16e24ebeb60bc6753c54e940c3e7664e9fcb130bd663129ecdb5818fcd
ca8492139c556eac6710fe73ba31b53302505a8cc57338e4d2146bdfa8f69bdb
d4b7e4870795e6f593c9b3143e2ba083cf12ac0c79d2dd64b869278b0247c247
d5d7fad5b745fa04f7f42f61a1db376f9587426c88ce276f06de8ea6889dfae8
d605a01e42d5bb6bca781b7ba32618e2f2870a4624b50d6e3d895e8e96adee6a
F842354198cfc0a3296f8d3c6b38389761674f1636129836954f50c2a7aab740
e4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2