A close-up of a small gray mouse with long whiskers, sitting on a red piece of yarn against a black background. The mouse's nose and face are prominently featured, giving it a curious expression, as if it senses an unseen threat nearby.

New WogRAT malware abuses online notepad service to store malware

A new malware dubbed ‘WogRAT’ targets both Windows and Linux in attacks abusing an online notepad platform named ‘aNotepad’ as a covert channel for storing and retrieving malicious code.

According to AhnLab Security Intelligence Center (ASEC) researchers, who named the malware from a string reading ‘WingOfGod,’ it has been active since at least late 2022, targeting Japan, Singapore, China, Hong Kong, and other Asian countries.

The distribution methods are unknown, but the names of the sampled executables resemble popular software (flashsetup_LL3gjJ7.exe, WindowsApp.exe, WindowsTool.exe, BrowserFixup.exe, ChromeFixup.exe, HttpDownload.exe, ToolKit.exe), so they are likely distributed via malvertizing or similar schemes.

Abusing online notepads

Of note is the abuse of aNotepad, a free online notepad platform, to host a base64-encoded .NET binary of the Windows version of the malware, disguised as an Adobe tool.

Being a legitimate online service, aNotepad isn’t blocklisted or treated suspiciously by security tools, which helps make the infection chain stealthier.

When the malware is first executed on the victim’s machine, it is unlikely to be flagged by AV tools as it does not feature any malicious functionality.

However, the malware contains encrypted source code for a malware downloader that is compiled and executed on the fly.

This downloader retrieves a further malicious .NET binary stored in base64 encoded form on aNotepad, resulting in loading a DLL, which is the WogRAT backdoor.

Encrypted strings retrieved from aNotepad
Encoded strings retrieved from aNotepad (ASEC)

WogRAT sends a basic profile of the infected system to the command and control (C2) server and receives commands for execution.

There are five supported functions:

  • Run a command
  • Download file from specified URL
  • Upload specified file to C2
  • Wait for a specified time (in seconds)
  • Terminate
FTP file upload
FTP file upload (ASEC)

Linux version

The Linux version of WogRAT, which comes in ELF form, shares many similarities with the Windows variant. However, it distinguishes itself by utilizing Tiny Shell for routing operations and additional encryption in its communication with the C2.

TinySHell is an open-source backdoor that facilitates data exchange and command execution on Linux systems for multiple threat actors, including LightBasin, OldGremlin, UNC4540, and the unidentified operators of the Linux rootkit ‘Syslogk.’

Another notable difference is that commands on the Linux variant are not sent via POST requests but are instead issued through a a reverse shell created on a given IP and port.

ASEC analysts have been unable to determine how these ELF binaries are distributed to victims, while the Linux variant does not abuse aNotepad for hosting and retrieving malicious code.

The full list of the indicators of compromise (IoCs) relating to WogRAT can be found at the bottom of ASEC’s report.

Skip to content