A new Remote Access Trojan ( RAT ), discovered by security investigators, appears to be linked to a hacking team specializing in attacks on governments and diplomats.
On Thursday, Cisco Talos researchers said that the malware, called ObliqueRAT , is being deployed in a new campaign aimed primarily at Southeast Asia.
The last campaign started in January 2020 and is still ongoing. The hacker using phishing messages as a primary means of attack, which add attachments Microsoft Office with malware.
Attachments have innocent names, such as Company-Terms.doc or DOT_JD_GM.doc, which may be abbreviated as “Department of Telecommunications_Job Description_General Manager”.
Files also seem to be password protected, a technique that may have been designed to make documents look legitimate and secure in corporate settings. The credentials required to open the file may be contained in the main body of the phishing message .
If the victim enters the password and opens the document, a malicious VB script is triggered, exporting a malicious binary file and downloading an executable, which acts as a dropper for ObliqueRAT.
Talos described RAT as simple, containing the basic functions of a typical Trojan, including the ability to export files and system data for transfer to a command and control server, the functionality to receive and execute additional payloads, and the ability to terminate existing ones. procedures.
An interesting feature, however, is that malware searches for a specific directory to steal the files it contains. The directory name is C: \ ProgramData \ System \ Dump .
In order to avoid detection, malware will also check the system name and information for signs that the computer is “sandboxed”.
According to Talos, the similarities between how the RAT is propagated and the variables used in the VBA malicious documents indicate a possible link to CrimsonRAT, a group that has previously been linked to attacks on diplomatic and political organizations in the same area.