Compromised Website Images Camouflage ObliqueRAT Malware
Reading Time: 1 Minute
Emails spreading the ObliqueRAT malware now make use of steganography, disguising their payloads on compromised websites.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
What is the ObliqueRAT Malware?
The known activity for ObliqueRAT dates back to November 2019, part of a campaign targeting entities in Southeast Asia and uncovered by Cisco Talos researchers in February 2020. ObliqueRAT operators have always used emails with malicious attachments as an initial infection vector. Generally the infection chain uses an initial executable, which acts as a dropper for ObliqueRAT itself.
Once it infected systems, ObliqueRAT exfiltrates various information, including system data, a list of drives and a list of running processes.
ObliqueRAT Malware Evolution
The newly discovered ObliqueRAT attack chain was part of a campaign that started in May last year – but which was only recently uncovered by researchers. In addition to the use of URL redirects, the payloads themselves have also been given an update, now consisting of seemingly benign bitmap image files (BMP).
The new attack chain used by ObliqueRAT. Credit: Cisco Talos
The image files contain both legitimate image data and malicious executable bytes concealed in the image data, said researchers. Threatpost has reached out to Cisco Talos for further information on the compromised websites and the images used as part of the attack.
This is a well-known tactic used by threat actors, called steganography. Attackers hide malware in image files as a way to circumvent detection. That’s because many filters and gateways let image file formats pass without too much scrutiny.
See Also: Offensive Security Tool: ScareCrow
The initial email sent to victims contains malicious documents with new macros, which redirect users to the malicious URLs containing these payloads. The malicious macros consequently download the BMP files, and the ObliqueRAT payload is extracted to the disk.
There are slight variations that have been seen in real-world attacks. One instance of a malicious document that researchers found “uses a similar technique, with the difference being that the payload hosted on the compromised website is a BMP image containing a .ZIP file that contains ObliqueRAT payload,” said Malhotra. “The malicious macros are responsible for extracting the .ZIP and subsequently the ObliqueRAT payload on the endpoint.”
During the course of their investigation, researchers also discovered three previously used but never-before-seen payloads for ObliqueRAT, which showed how the malware authors have made changes over time. For instance, one of the versions created in September added new file enumeration and stealing capabilities, as well as expanded the payload’s functionalities to include the ability to take webcam and desktop screenshots and recordings.
ObliqueRAT: Hiding From Detection, Improved Persistence
This updated payload delivery technique gives attackers a leg up in sidestepping detection, said researchers.
The evolution of ObliqueRAT’s payloads. Credit: Cisco Talos
“It is highly likely that these changes are in response to previous disclosures to achieve evasion for these new campaigns,” they said. “The usage of compromised websites is another attempt at detection evasion.”
The macros also have adopted a new tactic for achieving reboot persistence for the ObliqueRAT payloads. This is accomplished by creating a shortcut (.URL file extension) in the infected user’s Startup directory, said researchers. Once the computer reboots, the payloads will then still be able to run.
RevengeRAT: Researchers Link With ‘Low Confidence’
Researchers said that they observed overlaps in the command-and-control (C2) server infrastructure between ObliqueRAT and a RevengeRAT campaign. However, they only made the connection with “low confidence” due to lack of any other more substantial evidence.
RevengeRAT is a commodity malware family that has been used by Iran-linked, espionage-focused threat group APT33 in the past. The RAT collects and exfiltrates information from the victim’s system.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
See Also: Hacking Stories: Albert Gonzalez & the ‘Get Rich or Die Trying’ Crew who stole 130 million credit-card numbers
Previously, researchers also made links between ObliqueRAT and Crimson RAT. The functionalities of Crimson RAT include stealing credentials from victims’ browsers, capturing screenshots, collecting antivirus software information, and listing the running processes, drives and directories from victim machines. Researchers said that the two RATs shared “similar maldocs and macros” in previous ObliqueRAT campaigns.
“This malware has links to the Transparent Tribe group that has historically targeted entities in South Asia,” Malhotra told Threatpost. “As is the case with most suspected APT campaigns, this campaign is also low volume. A low-volume campaign has better chances of remaining undiscovered for longer periods of time thus increasing the chances of success for the attackers.”
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
Source: https://threatpost.com
(Click Link)
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
