Cyberattackers behind ObliqueRAT campaigns are now disguising the Trojan in benign image files on hijacked websites.
The ObliqueRAT Remote Access Trojan (RAT), discovered in early 2020, has been traced back to attacks against organizations in South Asia.
When first discovered, the malware was described as a “simple” RAT with the typical, core functionality of a Trojan focused on data theft — such as the ability to exfiltrate files, connect to a command-and-control (C2) server, and the ability to terminate existing processes. The malware is also able to check for any clues indicating its target is sandboxed, a common practice for cybersecurity engineers to implement in reverse-engineering malware samples.
Since its initial discovery, ObliqueRAT has been upgraded with new technical capabilities and utilizes a wider set of initial infection vectors. In a blog post on Tuesday, Cisco Talos said a new campaign designed to deploy the RAT in the same region has changed how the malware is served on victim systems.
Previously, Microsoft Office documents would be sent via phishing emails to a target that contained malicious macros leading to the direct deployment of ObliqueRAT. Now, however, these maldocs are directing victims to malicious websites instead — likely in a bid to circumvent email security controls.
A technique known as steganography is in play. Steganography is used to hide code, files, images, and video content within other content of file formats, and in this case, the researchers have found .BMP files that contain malicious ObliqueRAT payloads.
Websites that have been compromised by threat actors host these .BMP files. While the files do contain legitimate image data, executable bytes are also concealed in RGB data — and when viewed, trigger the download of a .ZIP file containing ObliqueRAT.
According to the researchers, the malicious macros contained in the maldoc extract the archive file and deploy the Trojan on the target endpoint system.
In total, four new versions of the malware have been recently discovered and appear to have been developed between April and November 2020. Improvements include checks for blocklisted endpoints and computer names, as well as the inclusion of the ability to extract files from external storage. A new command prompt, as of yet unassigned, also indicates that additional updates will occur in the future.
ObliqueRAT has also been connected to campaigns distributing CrimsonRAT. There are potential links to Transparent Tribe (.PDF), a state-sponsored threat group ProofPoint says has previously attacked Indian embassies in Saudi Arabia and Kazakhstan. Due to C2 infrastructure overlaps, there may also be ties to RevengeRAT campaigns.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0