Cisco Talos researchers discovered a new malware, tracked as ObliqueRAT, that was employed targeted attacks against organizations in Southeast Asia.
Experts from Cisco Talos discovered a new malware, tracked as ObliqueRAT, that appears a custom malware developed by a threat actor focused on government and diplomatic targets.
The malware was employed in targeted attacks against organizations in Southeast Asia
“Cisco Talos has recently discovered a new campaign distributing a malicious remote access trojan (RAT) family we’re calling “ObliqueRAT.” Cisco Talos also discovered a link between ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT sharing similar maldocs and macros.” reads the analysis published by the experts. “CrimsonRAT has been known to target diplomatic and government organizations in Southeast Asia.”
The most recent campaign started in January 2020 and is still ongoing.
The threat actor uses phishing messages with weaponized Microsoft Office documents to deliver the RAT.
The malicious documents trick victims into inserting a password contained in the message to view their contents. The VB script in the maldocs is activated once the user enters the correct password for the document, a technique was already observed by other attackers in the wild.
The maldocs used in this campaign have benign file names such as “Company-Terms.doc”, “DOT_JD_GM.doc.”
The malicious VB script included in the documents, once activated, will extract a malicious binary and drop an executable which drops the ObliqueRAT.
VBScript creates the following shortcut in the currently logged in user’s Start-Up directory to achieve persistence:
The experts from Cisco Talos believe the ObliqueRAT malware is quite simply as effective, it implements the following key capabilities:
Ability to execute arbitrary commands on an infected endpoint.
Ability to exfiltrate files.
Ability to drop additional files.
Ability to terminate process on the infected endpoint etc.
Experts noticed a unique feature implemented by the authors of the RAT, the malware looks for the presence of a specific directory and all files residing inside it. The directory path is hardcoded in the malicious code: C:\ProgramData\System\Dump.
“The RAT ensures that only one instance of its process is running on the infected endpoint at any given time by creating and checking for a mutex named Oblique,” the researchers say. “If the named mutex already exists on the endpoint then the RAT will stop executing until the next login of the infected user account.”
The malware implements evasion and anti-analysis checks to avoid the execution of the implant on a Sandbox or to prevent the execution of the implant in a test environment.
Experts found similarities between the ObliqueRAT and the CrimsonRAT, Cisco Talos discovered that the way the malware is being distributed by the attackers is similar. Other similarities are related to the VBA script variables used in malicious documents.
CrimsonRAT is another malware family employed group previously connected to attacks against diplomatic and political organizations in the same region.
“This campaign shows a threat actor conducting a targeted distribution of maldocs similar to those utilized in the distribution of CrimsonRAT. However, what stands out here is that the actor is now distributing a new family of RATS.” concludes the report. “Although it isn’t technically sophisticated, ObliqueRAT consists of a plethora of capabilities that can be used to carry out various malicious activities on the infected endpoint.”
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
February 23, 2020
