ObliqueRAT Infiltrates into Victims’ Endpoints Using Malicious Documents
ObliqueRAT malware is using new techniques to avoid detections, including hiding the malicious payload within corrupted images hosted on compromised websites.
ObliqueRAT operators, also known as Remote Access Trojan, have developed four advanced versions of the malware, using new technical capabilities and a series of initial infection vectors. First discovered in early 2020, the group is believed to be connected to the cyber threat organization Transparent Tribe. The latter is a highly active APT operating since 2013 and predominantly targeting Indian military and diplomatic offices.
ObliqueRAT is the latest example of threat actors that are quickly changing gears when their methods are discovered and exposed publicly.
Although mainly designed to steal money, hackers use Trojans for other purposes as well. Often, Trojans are part of a more complex malware cocktail, that can include rootkits, worms, or other malware that enslave a computer to a botnet.
According to researchers from Cisco Talos, ObliqueRAT is using malicious Microsoft Office documents to direct users to compromised websites that host its malicious payload. In the past, attackers employed corrupted Office documents to directly infect the victim’s system with ObliqueRAT. Their techniques have changed, however, and now they’re hiding the malware in what appears to be benign image files on compromised websites, using the corrupted Office documents only to point victims to the payload.
The practice is known as “steganography”, and it involves hiding malicious code inside an image or a music file. This technique may not be new, but as threat researcher Asheer Malhotra explains, it isn’t very common either:
The fact that this threat actor is now using this technique—that they’ve never used before—is interesting. This shows that the actors are constantly designing new infection techniques and evolving their capabilities with a focus on stealth.
ObliqueRAT has been linked with campaigns targeting South Asian organizations. The malware aims at spying on users, including through the system webcam, by taking screenshots, steal files, and give attackers the ability to deliver malicious files and take control of compromised systems.
Heimdal® Email Security
- Completely secure your infrastructure against email-delivered threats;
- Deep content scanning for malicious attachments and links;
- Block Phishing and man-in-the-email attacks;
- Complete email-based reporting for compliance & auditing requirements;
Researchers have not been able to specify how exactly are the attackers transferring the malicious Microsoft Office documents to their victims. They can only assume that the hackers are delivering them through email attachments, or exploiting URLs to send the rigged documents.
When the malicious document has reached a system, all the attackers have to do is wait for the victim to open the document. After closing the document, a malicious macro within the document is triggered, fetching and decoding the malicious ObliqueRAT payload from a compromised website.
ObliqueRAT is then executed on the targeted endpoint using a malicious shortcut, as Malhotra adds:
The macros are also responsible for achieving reboot persistence for the ObliqueRAT payloads. This is done by creating a shortcut (.url file extension) in the infected user’s Startup directory.
The techniques the hackers might be using to jeopardize websites and plant corrupted image files with the ObliqueRAT payload are still unclear. Methods could include everything from frail, predictable passwords to known vulnerabilities weakening outdated and unpatched systems.