The Oblique RAT malware is now hiding its payloads as seemingly innocent image files that are hidden on compromised websites.
Emails spreading the Oblique RAT malware now make use of steganography, disguising their payloads on compromised websites.
The Remote Access Trojan (RAT), which has been operating since 2019, spreads via emails, which have malicious Microsoft Office documents attached.
Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they are redirected to malicious URLs where the payloads are hidden with steganography.
Researchers warn that this new tactic has been seen helping Oblique RAT operators to avoid detection during the malware’s targeting of various organisations in South Asia — where the goal is to ultimately sends victims an email with malicious Microsoft Office documents, which, once clicked, fetch the payloads & ultimately exfiltrate various data from the victim.
“This new campaign is a typical example of how adversaries react to attack disclosures & evolve their infection chains to evade detections,” observed Asheer Malhotra, researcher with Cisco Talos, on Tues.
“Modifications in the Oblique RAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.”
What is the Oblique RAT?
The known activity for Oblique RAT dates to Nov. 2019, part of a campaign targeting entities in SE Asia & uncovered by Cisco Talos researchers in Feb. 2020. Oblique RAT operators have always used emails with malicious attachments as an initial infection vector. Generally, the infection chain uses an initial executable, which acts as a dropper for Oblique RAT itself.
Once it infected systems, Oblique RAT exfiltrates various information, including system data, a list of drives & a list of running processes.
Oblique RAT Evolution
The newly discovered Oblique RAT attack chain was part of a campaign that started in May 2020 – but which was only recently uncovered by researchers. In addition to the use of URL redirects, the payloads themselves have also been given an update, now consisting of seemingly benign bitmap image files (BMP).
The image files contain both legitimate image data & malicious executable bytes concealed in the image data, commented researchers.
This is a well-known tactic used by threat players, called steganography. Attackers hide malware in image files as a way to circumvent detection. That is because many filters & gateways let image file formats pass without too much scrutiny.
The initial email sent to victims contains malicious documents with new macros, which redirect users to the malicious URLs containing these payloads. The malicious macros consequently download the BMP files, & the Oblique RAT payload is extracted to the disk.
There are slight variations that have been seen in real-world attacks. One instance of a malicious document that researchers found “uses a similar technique, with the difference being that the payload hosted on the compromised website is a BMP image containing a .ZIP file that contains Oblique RAT payload,” observed Malhotra.
“The malicious macros are responsible for extracting the .ZIP & subsequently the Oblique RAT payload on the endpoint.”
Changes over Time
During the course of their investigation, researchers also discovered 3 previously used but never-before-seen payloads for Oblique RAT, which showed how the malware authors have made changes over time.
For example, 1 of the versions created in Sept. added new file enumeration & stealing capabilities, as well as expanded the payload’s functionalities to include the ability to take webcam & desktop screenshots & recordings.
Hiding from Detection
This updated payload delivery technique gives attackers a leg up in sidestepping detection, stated researchers.
“It is highly likely that these changes are in response to previous disclosures to achieve evasion for these new campaigns,” they observed. “The usage of compromised websites is another attempt at detection evasion.”
The macros also have adopted a new tactic for achieving reboot persistence for the Oblique RAT payloads. This is accomplished by creating a shortcut (.URL file extension) in the infected user’s Start-up directory, outlined researchers. Once the computer reboots, the payloads will then still be able to run.
Researchers explained that they observed overlaps in the command-&-control (C2) server infrastructure between Oblique RAT & a Revenge RAT campaign. However, they only made the connection with “low confidence” due to lack of any other more substantial evidence.
Previously, researchers also made links between Oblique RAT & Crimson RAT. The functionalities of Crimson RAT include stealing credentials from victims’ browsers, capturing screenshots, collecting antivirus software information, & listing the running processes, drives & directories from victim machines.
Researchers said that the 2 RATs shared “similar maldocs & macros” in previous Oblique RAT campaigns.
“This malware has links to the Transparent Tribe group that has historically targeted entities in South Asia,” Malhotra explained.
“As is the case with most suspected APT campaigns, this campaign is also low volume. A low-volume campaign has better chances of remaining undiscovered for longer periods of time thus increasing the chances of success for the attackers.”