Researchers have uncovered a new Remote Access Trojan (RAT) that appears to be the handiwork of a threat group specializing in attacks against government and diplomatic targets.
On Thursday, Cisco Talos researchers said the malware, dubbed ObliqueRAT, is being deployed in a new campaign focused on targets in Southeast Asia.
The latest campaign started in January 2020 and is ongoing. The cybercriminals behind the scheme use phishing emails as the primary attack vector, with malicious Microsoft Office documents attached to the fraudulent emails designed to deploy the RAT.
The attachments have innocent names, such as Company-Terms.doc or DOT_JD_GM.doc, which may be short for “Department Of Telecommunications_Job Description_General Manager.”
Password protection is in place, a technique that may be designed to try to make the documents appear legitimate and secure in corporate settings. The credentials required to open the file are likely contained in the main body of the phishing email.
If the victim inputs the password and opens the document, a malicious VB script springs into action, extracting a malicious binary and dropping an executable which acts as the dropper for ObliqueRAT.
Persistence is maintained through creating a startup process for the executable every time the compromised system reboots.
The RAT is deemed “simple” by Talos and contains the core functionality of a typical Trojan, including the ability to exfiltrate files and system data for transfer to a command-and-control (C2) server; functionality for downloading and executing additional payloads, and the ability to terminate existing processes.
An interesting feature, however, is that the malware seeks out a particular directory in order to grab files residing within. The directory name, C:ProgramDataSystemDump, is hardcoded.
“The RAT ensures that only one instance of its process is running on the infected endpoint at any given time by creating and checking for a mutex named Oblique,” the researchers say. “If the named mutex already exists on the endpoint then the RAT will stop executing until the next login of the infected user account.”
In order to avoid detection and reverse-engineering efforts, the malware will also check the system’s name and information for clues that the PC is sandboxed, such as the use of the username “test.”
According to Talos, similarities between how the RAT is being spread and within the VBA script variables used in the malicious documents suggest a potential link to CrimsonRAT, a group previously connected to attacks against diplomatic and political organizations in the same region.
“This campaign shows a threat actor conducting a targeted distribution of maldocs similar to those utilized in the distribution of CrimsonRAT,” Talos says. “However, what stands out here is that the actor is now distributing a new family of RATS. Although it isn’t technically sophisticated, ObliqueRAT consists of a plethora of capabilities that can be used to carry out various malicious activities on the infected endpoint.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0