New malware discovered in a Coronavirus-themed campaign aimed at government and energy sectors

23 Apr 2020

Researchers from Cisco Talos discovered a new Coronavirus-themed campaign employing a previously-undiscovered Remote Access Trojan (RAT) dubbed "PoetRAT". The malware was designed to infect Supervisory Control and Data Acquisition (SCADA) systems and was used to target Azerbaijani government structures and utility companies by executing tools to log keystrokes, record footage from webcams and steal browser credentials. 

Researchers called the malware “PoetRAT” due to the various references to works by William Shakespeare present throughout the macros embedded within malicious Word documents that were part of the campaign. Further analysis of the RAT and its distribution reveals a carefully planned, highly targeted campaign against the public and the private Azerbaijan sectors, and, specifically, ICS and SCADA systems in the energy industry.

PoetRat is believed to be distributed through URLs mimicking official Azerbaijani government domains, used to convince users at downloading a "dropper" document. Talos identified multiple lure Microsoft Word documents during this campaign, which all made use of Visual Basic macros to deploy a Python-based remote access trojan. The first document, from February 2020, revealed blurred pictures with no text. One of those blurred pictures was the logo for the DRDO, the Defense Research and Development Organization, of the Ministry of Defense of India (researchers said there’s evidence that India is targeted by this actor, however). In April, researchers came across two other documents distributing the RAT, both of which used lures related to the ongoing coronavirus pandemic. The first, which contained unreadable content, was named “C19.docx,” likely a reference to COVID-19. The second one was named “Azerbaijan_special[.]doc” and was designed to mimic an official Azerbaijan government document. 

The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. However, it uses two components to avoid detection:

"This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps." further comment the researchers.

For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. 

The researchers also found out that operators manually pushed additional tools when they needed them on the compromised systems, such as keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers.

In addition to the malware campaigns, the attacker performed phishing a campaign on the same infrastructure. This phishing website mimics the webmail of the Azerbaijan Government webmail infrastructure.

"At this time, we do not believe this attack is associated with an already known threat actor.” reads the analysis published by Cisco Talos.


This attack is a reminder for all of us to avoid downloading documents from unknown sources, to disable auto-download and avoid documents that request Macros to be enabled. Stay aware of targeted phishing attacks and remind your colleagues or employees that, especially during times of crisis, you should be vigilant and careful when opening URLs and documents. Have a clear reporting strategy set in place, where you know at all times, should you have doubts about possibly being the victim of an attack, who you can contact. Keep your anti-spam and antivirus protection up-to-date and don't forget to stay informed and educated on the cybersecurity fundamentals and basic principles.