Skip to content

S0428 PoetRAT

PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. 231

Item Value
ID S0428
Associated Names
Type MALWARE
Version 2.2
Created 27 April 2020
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols PoetRAT has used HTTP and HTTPs for C2 communications.3
enterprise T1071.002 File Transfer Protocols PoetRAT has used FTP for C2 communications.3
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility PoetRAT has the ability to compress files with zip.2
enterprise T1119 Automated Collection PoetRAT used file system monitoring to track modification and enable automatic exfiltration.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder PoetRAT has added a registry key in the hive for persistence.2
enterprise T1059 Command and Scripting Interpreter PoetRAT has executed a Lua script through a Lua interpreter for Windows.3
enterprise T1059.003 Windows Command Shell PoetRAT has called cmd through a Word document macro.3
enterprise T1059.005 Visual Basic PoetRAT has used Word documents with VBScripts to execute malicious activities.23
enterprise T1059.006 Python PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.2
enterprise T1140 Deobfuscate/Decode Files or Information PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.3
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography PoetRAT used TLS to encrypt command and control (C2) communications.2
enterprise T1048 Exfiltration Over Alternative Protocol PoetRAT has used a .NET tool named dog.exe to exiltrate information over an e-mail account.2
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol PoetRAT has used ftp for exfiltration.2
enterprise T1041 Exfiltration Over C2 Channel PoetRAT has exfiltrated data over the C2 channel.3
enterprise T1083 File and Directory Discovery PoetRAT has the ability to list files upon receiving the ls command from C2.2
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories PoetRAT has the ability to hide and unhide files.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.2
enterprise T1105 Ingress Tool Transfer PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.23
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging PoetRAT has used a Python tool named klog.exe for keylogging.2
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange PoetRAT was delivered with documents using DDE to execute malicious code.2
enterprise T1112 Modify Registry PoetRAT has made registry modifications to alter its behavior upon execution.2
enterprise T1571 Non-Standard Port PoetRAT used TLS to encrypt communications over port 1432
enterprise T1027 Obfuscated Files or Information PoetRAT has used a custom encryption scheme for communication between scripts.2
enterprise T1027.010 Command Obfuscation PoetRAT has pyminifier to obfuscate scripts.3
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment PoetRAT was distributed via malicious Word documents.2
enterprise T1057 Process Discovery PoetRAT has the ability to list all running processes.2
enterprise T1018 Remote System Discovery PoetRAT used Nmap for remote system discovery.2
enterprise T1113 Screen Capture PoetRAT has the ability to take screen captures.21
enterprise T1082 System Information Discovery PoetRAT has the ability to gather information about the compromised host.2
enterprise T1033 System Owner/User Discovery PoetRAT sent username, computer name, and the previously generated UUID in reply to a “who” command from C2.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File PoetRAT has used spearphishing attachments to infect victims.2
enterprise T1125 Video Capture PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts.2
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of “License.txt” and exiting.2

References