Since its emergence, ObliqueRAT has been embracing new technical capabilities incessantly. Cisco Talos researchers have identified a newly designed ObliqueRAT campaign, adopting new infection and evasion techniques.

New ObliqueRAT campaign

The attackers behind the campaign are using an updated infection chain and new macro code to deploy the malware on victim systems.
In this campaign, attackers are using new malware-laced documents to redirect victims based in South Asia to adversary-controlled websites.
  • Attackers use steganography techniques to hide malicious codes, files, benign images, and video content hosted on compromised sites.
  • The payloads hosted on these compromised websites is a malicious BMP file that contains malicious ObliqueRAT payloads in a zip file.
  • Upon execution, the malicious macros would extract the zip, and eventually the ObliqueRAT payload.

A brief evolutionary history

Talos researchers have found four new versions of ObliqueRAT malware. These versions have almost similar functionalities with slight modifications.
  • The ObliqueRAT version 6.1 was developed in April 2020 with anti-infection techniques.
  • Version 6.3.2 was developed in September 2020 with stealing capabilities.
  • The October 2020 version 6.3.4 was modified with more keywords to anti-infection checks for blocklisted endpoints and computer names.
  • Version 6.3.5 was developed in November 2020 with new mutex names.

Malware’s affiliations

ObliqueRAT has been linked to several threat actors in the past.
  • Potential links have been found between the ObliqueRAT and the Transparent Tribe APT group.
  • ObliqueRAT has been connected to the previous campaigns distributing CrimsonRAT malware.
  • Moreover, the researchers have found additional links to previously observed malware attacks in the wild.

In short

The continuous modifications in ObliqueRAT foreground the usage of obfuscation techniques by its developers, specifically focusing on evading the traditional signature-based detection mechanisms. Such updates indicate that these attackers are not planning to stop any time soon and additional updates can be anticipated in the near future.

Cyware Publisher