Delaware, USA – February 25, 2020 – ObliqueRAT trojan is used in an ongoing campaign targeted at diplomatic and government organizations in Southeast Asia. The campaign was spotted by Cisco Talos researchers, the detailed analysis of the malware and techniques used points to CrimsonRAT distributors, a cyberespionage group operating in the same region, as primary suspects in this campaign. “The malicious VBA Scripts in the maldocs discovered by Talos semantically resemble a previously observed maldoc distribution campaign (from 2019) delivering another .NET based RAT family popularly known as CrimsonRAT,” experts said.
The campaign was started in January, adversaries send phishing emails with password-protected MS Office document attached and credentials in the email body. Once the document is opened, a malicious VBA script extracts the MS Windows binary and creates a shortcut in the Start-Up directory to achieve persistence. ObliqueRAT is capable of downloading and exfiltrating files, executing arbitrary commands and terminating process on the infected system. “Although it isn’t technically sophisticated, ObliqueRAT consists of a plethora of capabilities that can be used to carry out various malicious activities on the infected endpoint. The fact that the maldocs are password protected (and that the ObliqueRAT implant consists of probable anti-analysis techniques) indicates the attackers’ intent to hide the malicious activities of the infection from an analyst.”
The content available on Threat Detection Marketplace to spot suspicious Registry changes:
Registry Persistence Mechanisms – https://tdm.socprime.com/tdm/info/Z4YGSHNopjyZ/
Rare powershell command to set registry persistence – https://tdm.socprime.com/tdm/info/tw3ERWvnCmPQ/