By Asheer Malhotra.
- Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT.
- This campaign targets organizations in South Asia.
- ObliqueRAT has been linked to the Transparent Tribe APT group in the past.
- This campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised websites.
What's new? Cisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however, utilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites.
How did it work? Historically, this RAT is dropped to a victim's endpoint using malicious Microsoft Office documents (maldocs). These new maldocs, however, do not contain the ObliqueRAT payload directly embedded in the maldoc, as observed in previous campaigns. Instead, the attackers utilize a technique novel to their infection chain to infect targeted endpoints by pointing users instead to malicious URLs. New core technical capabilities of ObliqueRAT include:
- The maldocs-based infection chain.
- Changes/updates to its payload.
- Additional links to previously observed malware attacks in the wild.
So what? This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms. While file-signature and network-based detection is important, it can be complemented with system behavior analysis and endpoint protections for additional layers of security.
Analysis of maldocs The maldocs utilized in previous ObliqueRAT attacks used mechanisms identical to the CrimsonRAT delivery maldocs. The latest campaign distributing ObliqueRAT now utilizes completely different macro code in their maldocs.
The attack has also evolved to include the following functionalities:
- Payloads are now hosted on compromised websites.
- The payloads hosted on these websites consist of seemingly benign BMP image files.
- The malicious macros download the images and the ObliqueRAT payload is extracted to disk.
- The ObliqueRAT payload is renamed with the .pif file extension.
ObliqueRAT payload extracted, written to file on disk and renamed.
Another instance of a maldoc uses a similar technique with the difference being that the payload hosted on the compromised website is a BMP image containing a ZIP file that contains ObliqueRAT payload. The malicious macros are responsible for extracting the ZIP and subsequently the ObliqueRAT payload on the endpoint.
Persistence The macros are also responsible for achieving reboot persistence for the ObliqueRAT payloads. This is done by creating a shortcut (.url file extension) in the infected user's Startup directory.
Malicious shortcut in the infected user's startup directory to execute ObliqueRAT on startup.
Image files The image files used are BMP files hosted on adversary-controlled websites. The image files contain legitimate image data and malicious executable bytes concealed in the image data bytes.
Image file containing executable data in the BITMAPLINES (RGB data).
ObliqueRAT infection chain.
ObliqueRAT payload Talos discovered three new versions of ObliqueRAT as part of this investigation. This section covers changes and updates introduced in these versions. For a complete technical analysis of ObliqueRAT, refer to our previous blog post.
After the discovery of the previous ObliqueRAT payload (version 5.2) we observed four new versions:
- 6.1, developed April 2020
- 6.3.2, developed September 2020
- 6.3.4, developed October 2020
- 6.3.5 developed November 2020
Version 6.1 The attackers made a few key updates with version 6.1:
- Added a new command code "hb" to the RAT. Although this command code doesn't really do anything, it is highly likely that the attackers are preparing to introduce a new RAT capability.
- The attackers introduced anti-infection checks in version 6.1. The implant does two sets of checks:
- Check for blocklisted usernames and computernames: The implant concatenates the username and computer it acquires from the infected endpoint's environment variables. This string is then checked against a list of blocklisted values to determine if the implant should continue execution or exit out. See a full list of these keywords under the IOC section.
- Check for blocklisted process names: The following process names are blocklisted and if found running on the system, the RAT implant will simply exit. The blocklist consists of processes belonging to Virtual Machine software (such as VMWare) and analysis tools (such as ProcessHacker etc.)
If any of the blocklisted strings match the artifacts on the endpoint, the implant stops execution (without cleaning up its persistence mechanisms).
Version 6.3.2 This version adds new RAT capabilities to the implant. One of these consists of extracting files of interest from hot-pluggable or removable drives connected to the endpoint. Specifically, the implant looks for files with the following extensions in the removable drives:
- doc, docx
- ppt, pptx
- xls, xlsx
The implant will look for files with these extensions in the removable drive and the "Recycled" folder. Any files found will be copied to its own file repository at locations C:\ProgramData\System\Recycled (from <Drive_letter>:\Recycled) and C:\ProgramData\System\Dump (from <Drive_Letter>:\*).
Another new ObliqueRAT capability involves recursively enumerating files in the drives present on the endpoint. The file paths are all recorded to location "C:\ProgramData\DirecTree.txt" (for the implant to later exfiltrate). The implant contains a hard-coded list of drives to enumerate:
C:\, D:\, F:\, G:\, H:\, I:\, J:\, K:\, L:\, M:\, N:\, O:\, P:\, Q:\, R:\, S:\, T:\, U:\, V:\, W:\, X:\, Y:\, Z:\
There are also new capabilities triggered by specific command codes from the command and control (C2) that were introduced in version 6.3.2:
Command code = "wes" ; Webcam screenshot Capture current view of the webcam to a DIB file located at "C:\ProgramData\wsc".
Code to grab webcam frames and save to a DIB file.
Command code = "sss" ; Desktop Screenshot Capture current screen (screenshot) and save screenshot as a JPEG to "C:\ProgramData\tsc".
The contents of the file are subsequently read and sent to the C2.
Code to capture a screenshot as bitmap and save to file.
Command code = "pizz" Command Data=<filename> & <ZIP_file_name> Similar to command code "4". Here, the implant accepts the names of the target file and an archive file. The target file is added to the archive file created at "C:\ProgramData\<archive_name>.zip". However, in this case, the archive file is not exfiltrated to the C2 and is only created on the endpoint).
Command code = "plit" Command Data=<target filepath> Receive a file path from the C2 for a file to read. The target file is read and then split into smaller files named "<target_filename>.part_<part_number>" and stored on disk. This capability can be used to break large files of interest into smaller chunks to prepare them for exfiltration.
Version 6.3.4 This version contains minor changes to the ObliqueRAT implant including:
- Removal of the "backed" command from the implant. This command was used to back up the contents of one log file to another.
- Addition of more anti-infection keywords to check on the endpoint (specifically for Oracle VirtualBox VM detection).
- Addition of the ".csv" file extension to targeted file types list copied over from removable drives.
Version 6.3.5 The only update seen in this minor version update of ObliqueRAT is a change in the naming convention of the Mutex created by the RAT.
The initial version of ObliqueRAT discovered in the wild by Talos created a mutex named "Oblique" on the system. The attackers then changed their naming convention and subsequent versions of ObliqueRAT discovered (and detailed in this post) follow a different naming convention:
- v6.1 :"t802" - Naming convention changed for mutex
- v6.3.2 :"t803"
- v6.3.4 :"t804"
- v6.3.5 :"gaia5" - Another change in Mutex naming convention (possible randomization).
Evolution of implants The following is a timeline of the evolution of capabilities of the ObliqueRAT implants discovered so far:
- November 2019
- Version 5.2 of ObliqueRAT created, eventually disclosed in February 2020 by Talos.
- Distributed via maldocs containing embedded ObliqueRAT payloads.
- April 2020
- Version 6.1 of ObliqueRAT created.
- Introduction of anti-infection techniques.
- Added an empty command code "hb".
- September 2020
- Version 6.3.2 of ObliqueRAT created.
- Additional file enumeration and stealing capabilities.
- Webcam and desktop screenshot and recording RAT capabilities and commands introduced.
- Distribution via maldocs employing BMPs containing ObliqueRAT payloads.
- Version 6.3.4 of ObliqueRAT created — minor update.
- More keywords added to anti-infection checks.
- Housekeeping ability to backup log files removed.
- Continued distribution via maldocs employing BMPs containing ObliqueRAT payloads.
- November 2020
- Version 6.3.5 of ObliqueRAT created - minor update.
- Same functionalities as v6.3.4. Only mutex name changed.
Evolution of ObliqueRAT.
Related campaigns Our previous post on ObliqueRAT detailed its connections to CrimsonRAT and, subsequently, the links to the Transparent Tribe APT group targeting organizations in South Asia. We have also observed overlaps in the C2 infrastructure used between ObliqueRAT and a RevengeRAT campaign. Talos assesses with low confidence that there is a possible link between certain RevengeRAT campaigns and ObliqueRAT and its operators.
RevengeRAT is a .NET-based RAT whose source code was leaked publicly a few years ago. It has increasingly become a common practice for crimeware and state-sponsored groups to utilize leaked malware. This practice takes away the need to develop implants and C2 servers from scratch and increases the chances of misattribution.
Conclusion This campaign shows a threat actor evolving their infection techniques so that they no longer resemble those used previously. It is highly likely that these changes are in response to previous disclosures to achieve evasion for these new campaigns. The usage of compromised websites is another attempt at detection evasion. The adversaries have also introduced steganography as a way to hide the ObliqueRAT payloads in image files. This technique is novel to ObliqueRAT's distribution chain (not observed in the past). This new campaign distributing ObliqueRAT started in April 2020 and is still ongoing. This campaign also highlights that while network-based detection is important, it must be complemented with system behavior analysis and endpoint protections.
CoverageWays our customers can detect and block this threat are listed below.
2ad362e25989b0b1911310345da90473df9053190737c456494b0c26613c8d1f 0196bc9ac3db6f02cfa97323c8fce6cc7318b8f8fadb3e73bdf7971b3c541964 b85536589c79648a10868b58075d7896ec09bbde43f9c4bad95ed82a200652bc