By Warren Mercer, Paul Rascagneres and Vitor Ventura.

News summary

  • Azerbaijan government and energy sector likely targeted by an unknown actor.
  • From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines.
  • The actor uses Word documents to drop malware that allows remote control over the victims.
  • The new remote access trojan, dubbed PoetRAT, is written in Python and is split into multiple parts.
  • The actor collects files, passwords and even images from the webcam, using other tools that it deploys as needed.

Executive summary
Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling "PoetRAT." At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data.

The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers.

In addition to the malware campaigns, the attacker performed phishing a campaign on the same infrastructure. This phishing website mimics the webmail of the Azerbaijan Government webmail infrastructure.

What's new?  
This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps.

How did it work?  
The initial foothold is established by sending the malicious Word document. It's not clear at this time how the adversary distributes the document. However, given that it is available for download from a basic URL, it wouldn't be surprising if the victims were being tricked into downloading it by an email or social media network message.

So what?  
This threat actor is highly motivated and focused on the victims it targets. They target the public and the private sectors as well as SCADA systems. The quantity and diversification of tools available in its toolkit denote a carefully planned attack.

Malware campaigns
We identified multiple campaigns we believe target the Azerbaijan public and private sectors, especially the energy sector. During our investigation, Talos identified the interest of this threat actor for SCADA systems — mainly wind turbines.

Campaign No. 1: February 2020

Decoy document
Once opened in Microsoft Office, the document is blurred. This can't be fixed — the document is composed of blurred pictures with no real text. The logo seems to be the logo of the DRDO, the Defense R&G Organisation of the Ministry of Defence of India. We have no evidence that India is targeted by this actor.

The file was located on hxxp://govaz[.]herokuapp[.]com/content/section_policies.docx

Campaign No. 2: April 2020 — C19.docx

Document image
The file, in this case, was named "C19.docx," probably a reference to the COVID-19 pandemic, but without readable content.

Campaign #3: April 2020 — Coronavirus theme
The decoy document evolved to look more realistic. The initial stage is a Word document written in Russian posing as an Azerbaijan government document.

Document image

Document image
Both original file names are "Azerbaijan_special[.]doc," which is a dropper that can be found at hxxps://gov-az[.]herokuapp[.]com/content/Azerbaijan_special[.]doc.

Phishing campaign
On the same server, we identified a phishing campaign against the webmail of the Azerbaijan government:

This phishing website was available on "hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=" during the malware campaigns. The purpose was obviously to steal credentials.

We will present the infection vector of the most recent document. The other documents are not exactly the same (using DDE) but the final goal is the same.

The Word document is a dropper. As happens so many times, it contains a Visual Basic script that will execute the malicious activities. This one, however, appears to be more innovative. It starts by loading its own document into memory. Afterward, it copies 7,074,638 bytes from the end of the file and writes the remaining bytes back to the disk.

RAT extraction
The file written to the disk is actually a ZIP file. The actors appended the ZIP at the end of the word document ""

This ZIP file contains a Python interpreter and Python script that is actually the RAT. The Word macro will unzip and execute the main script called "" The launcher script is responsible for checking the environment that the doc is currently being opened in. It assumes that all sandboxes will have hard drives smaller than 62GB. If it's in a sandbox environment, it will overwrite the malware scripts with the contents of the file "License.txt" and exit, thus deleting itself.

Anti-sandbox code
If it determines that it is not running in a sandbox environment, it will generate a unique ID, that is then replaced directly with the Python source code of the main scripts before executing it.

The RAT is composed of two main scripts that need to work together. One, called "," is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. With a successful connection, it will send the word "almond" The server should reply either with "who" or "ice." The RAT will answer the "who" command with a string that contains the username, computer name and the previously generated UUID. The "ice" command simply makes the RAT finish the connection procedure.

The other script is called "" This is responsible for the interpretation and execution of the C2 commands. The available commands are:

  • ls - listing files
  • cd - change current directory
  • sysinfo - get information about the system
  • download - upload file into the C2 using ftp
  • upload - download from C2 file into the victim from
  • shot - takes a screenshot and uploads it to the C2 using ftp
  • cp - copies files
  • mv - moves files
  • link - creates links between files
  • register - makes changes in the registry
  • hide - hides a file or unhides it depending on its current state
  • compress - compresses files using zip function
  • jobs - performs actions, like kill, clear, terminate on processes. By default will list all processes.
  • <os command to be executed> - this will be executed if none of the above are executed.

Some features need additional credentials (shot, upload, download). These credentials are not hardcoded on the sample. For each FTP usage, the credentials are provided by the C2 server during the request.

There is a normal usage of the Windows registry to provide a method of persistence for this RAT by adding in a registry key in the RUN hive which will execute the Python script "" During our investigation, we witnessed several registry modifications that resulted in the malware skipping the sandbox evasion checks and carrying out the execution by using a "police" keyword.

"C:\Users\Public\Python37\pythonw.exe" "C:\Users\Public\Python37\" "police"s\0

In, the police keyword will skip the sandbox checks and initialization process. This could be used for hosts already infected to ensure they do not re-check this environment.

Start routine
The communication between the scripts is done via a file called "Abibliophobia23" Commands and results are written into the file using a custom encryption scheme. The "23" at the end of the file is different depending on the variant of the RAT.

Obfuscation algorithm
It uses a char substitution cipher where the new char code is obtained after performing mathematical operations on the char code to be encrypted using the key parameters.

Post-exploitation tools
During the campaign, the operator deployed additional tools on the targeted systems. In this section, we will describe a few of these tools.

Quickly after the initial compromise, the operator deploys a tool named "dog.exe." This malware is written in .NET and its purpose is to monitor hard drive paths and to exfiltrate the information via an email account or an FTP, depending on the configuration.

The configuration file is named dconf.json. It is pushed by the operator with the binary. Here is the format:

"FileSize": 50,
"BasePath": "C:/ProgramData/",
"MyPath": "TARGET_Dog/",
"UploadType": "ftp",
"FtpUsername": "username1",
"FtpPassword": "password1",
"FtpUri": "ftp://ftp.ftpserver/repo/",
"SmtpHost": "",
"EmailUser": "",
"EmailPass": "password2",
"Paths": "C:/Users/User/Desktop/,C:/Users/User/Downloads/,C:/Users/User/Documents/"

  • FileSize defines the max size of the file to be exfiltrated (50MB in our example).
  • The working directory is defined by the concat of BasePath and MyPat ("C:/ProgramData/ TARGET_Dog/" in our example).
  • UploadType is the exfiltration method. It can be "ftp" or "email."
  • FtpUsername, FtpPassword and FtpUri define the FTP parameters for exfiltration.
  • SmtpHost, EmailUser and EmailPass define the email parameters for exfiltration.
  • Paths define the path to monitor on the compromised system.

The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the "Paths" variable of the configuration file.

Filesystem monitoring routine
Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration.

The attacker has a short Python script to record the victim's webcam.

Camera image capturing routine.
The script uses the OpenCV library, taking a sequence of 10 captures each time it is executed. The images are stored on the filesystem and there is no automatic exfiltration.

Additional tools
During our investigation, we identified a couple of additional tools mainly in Python and compiled for Windows:

  • Klog.exe: A keylogger using an output file called "System32.Log."

Keylogger special key map

  • "Browdec.exe": A browser credential-stealer
  • "voStro.exe": A compiled pypykatz that'ss a full Python implementation of Mimikatz, a well-known credential-stealer.
  • "": A script used to create the file with the files/directories tree.
  • WinPwnage: An open-source framework of privilege escalation.
  • Nmap: An open-source pentesting and network-scanning tool.

During this investigation, we observed an actor using multiple tools and methodologies to carry out their full attack chain. Talos identified multiple lure documents during this campaign which all made use of Visual Basic macros and then Python to carry out their attacks on victims. The adversaries' targets are very specific and appear to be mostly Azerbaijan organizations in the public and private sectors, specifically ICS and SCADA systems in the energy industry.

The actor monitored specific directories, signaling they wanted to exfiltrate certain information on the victims. The attacker wanted to gain a full picture of the victim by using a keylogger, browser credential stealers and Mimikatz and pypykatz for further credential harvesting. Based on our research, the adversaries may have wanted to obtain important credentials from officials in Azerbaijan's government. The malware attempts to obtain pictures of the victim and utilizes a mail platform targeting the Azerbaijan government. The attacker wanted not only specific information obtained from the victims but also a full cache of information relating to their victim. They would have been able to gain potentially very important credentials and information using these techniques given their victimology. By using Python and other Python-based tools during their campaign, the actor may have avoided detection by traditional tools that have whitelisted Python and Python execution techniques.

Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), Cisco ISR, andMeraki MX can detect malicious activity associated with this threat as sids 53689-53691.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on



Cisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat.

For specific OSqueries on this threat, click below: PoetRAT filepath
PoetRAT registry

Hosts C2 -