Cisco Talos threat research group has uncovered a new campaign aimed at Azerbaijan government officials and companies in the country’s wind industry. The attackers are using a new malware named PoetRat by the researchers due to the various references to English playwright William Shakespeare.

The PoetRat is a remote access trojan equipped with all the functions common for this type of malware providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data.

The hackers monitored specific directories in order to exfiltrate certain information on the victims and used a keylogger, browser credential stealers and Mimikatz and pypykatz for further credential harvesting, the researchers said

When needed, the attackers manually deployed additional tools on the target system such as a tool named “dog.exe” used to monitor the hard disk and exfiltrate data automatically, Bewmac (Python script to record the victim's webcam), “Browdec”(browser-focused password stealer). The attackers also employed keyloggers and other generic password stealers.

Additionally, the hackers performed phishing attacks using the phishing website masqueraded as the webmail of the Azerbaijan Government webmail infrastructure.

The researchers said the attackers have also shown an interest in the control systems, known as Supervisory Control and Data Acquisition (SCADA) systems, used in wind turbines in Azerbaijan, though Cisco Talos did not reveal any details regarding these attacks.

The PoetRat malware is distributed via weaponized MS Word document, although currently the exact delivery method is unclear.

“However, given that it is available for download fr om a basic URL, it wouldn't be surprising if the victims were being tricked into downloading it by an email or social media network message,” the researchers said.

The Word document is a dropper containing a Visual Basic script that will execute the malicious activities. The script loads its own document into memory, which is a ZIP file (“smile.zip”) that contains a Python interpreter, as well as a Python script that is the RAT.

The Word macros will also unzip and execute a main script called “launcher.py,” which checks the environment, wh ere the document is being opened, to make sure it’s not a sandbox (if it has hard drives smaller than 62GB). If it determines that it’s in a sandbox environment, it deletes the malware scripts. If it determines that it is not running in a sandbox environment, it will generate a unique ID, that is then replaced directly with the Python source code of the main scripts before executing it.

“Based on our research, the adversaries may have wanted to obtain important credentials from officials in Azerbaijan's government. The malware attempts to obtain pictures of the victim and utilizes a mail platform targeting the Azerbaijan government. The attacker wanted not only specific information obtained from the victims but also a full cache of information relating to their victim. They would have been able to gain potentially very important credentials and information using these techniques given their victimology. By using Python and other Python-based tools during their campaign, the actor may have avoided detection by traditional tools that have whitelisted Python and Python execution techniques,” Cisco Talos team explained.