By Asheer Malhotra.
- Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT.
- This campaign targets organizations in South Asia.
- ObliqueRAT has been linked to the Transparent Tribe APT group in the past.
- This campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised websites.
Cisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however, utilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites.
How did it work?
Historically, this RAT is dropped to a victim’s endpoint using malicious Microsoft Office documents (maldocs). These new maldocs, however, do not contain the ObliqueRAT payload directly embedded in the maldoc, as observed in previous campaigns. Instead, the attackers utilize a technique novel to their infection chain to infect targeted endpoints by pointing users instead to malicious URLs. New core technical capabilities of ObliqueRAT include:
- The maldocs-based infection chain.
- Changes/updates to its payload.
- Additional links to previously observed malware attacks in the wild.
This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms. While file-signature and network-based detection is important, it can be complemented with system behavior analysis and endpoint protections for additional layers of security.
Analysis of maldocs
The maldocs utilized in previous ObliqueRAT attacks used mechanisms identical to the CrimsonRAT delivery maldocs. The latest campaign distributing ObliqueRAT now utilizes completely different macro code in their maldocs.
The attack has also evolved to include the following functionalities:
- Payloads are now hosted on compromised websites.
- The payloads hosted on these websites consist of seemingly benign BMP image files.
- The malicious macros download the images and the ObliqueRAT payload is extracted to disk.
- The ObliqueRAT payload is renamed with the .pif file extension.
ObliqueRAT payload extracted, written to file on disk and renamed.
Another instance of a maldoc uses a similar technique with the difference being that the payload hosted on the compromised website is a BMP image containing a ZIP file that contains ObliqueRAT payload. The malicious macros are responsible for extracting the ZIP and subsequently the ObliqueRAT payload on the endpoint.
The macros are also responsible for achieving reboot persistence for the ObliqueRAT payloads. This is done by creating a shortcut (.url file extension) in the infected user’s Startup directory.
Malicious shortcut in the infected user’s startup directory to execute ObliqueRAT on startup.
The image files used are BMP files hosted on adversary-controlled websites. The image files contain legitimate image data and malicious executable bytes concealed in the image data bytes.
Image file containing executable data in the BITMAPLINES (RGB data).
ObliqueRAT infection chain.
Talos discovered three new versions of ObliqueRAT as part of this investigation. This section covers changes and updates introduced in these versions. For a complete technical analysis of ObliqueRAT, refer to our previous blog post.
After the discovery of the previous ObliqueRAT payload (version 5.2) we observed four new versions:
- 6.1, developed April 2020
- 6.3.2, developed September 2020
- 6.3.4, developed October 2020
- 6.3.5 developed November 2020
The attackers made a few key updates with version 6.1:
- Added a new command code “hb” to the RAT. Although this command code doesn’t really do anything, it is highly likely that the attackers are preparing to introduce a new RAT capability.
- The attackers introduced anti-infection checks in version 6.1. The implant does two sets of checks:
- Check for blocklisted usernames and computernames: The implant concatenates the username and computer it acquires from the infected endpoint’s environment variables. This string is then checked against a list of blocklisted values to determine if the implant should continue execution or exit out. See a full list of these keywords under the IOC section.
- Check for blocklisted process names: The following process names are blocklisted and if found running on the system, the RAT implant will simply exit. The blocklist consists of processes belonging to Virtual Machine software (such as VMWare) and analysis tools (such as ProcessHacker etc.)
If any of the blocklisted strings match the artifacts on the endpoint, the implant stops execution (without cleaning up its persistence mechanisms).
This version adds new RAT capabilities to the implant. One of these consists of extracting files of interest from hot-pluggable or removable drives connected to the endpoint. Specifically, the implant looks for files with the following extensions in the removable drives:
- doc, docx
- ppt, pptx
- xls, xlsx
The implant will look for files with these extensions in the removable drive and the “Recycled” folder. Any files found will be copied to its own file repository at locations C:\ProgramData\System\Recycled (from <Drive_letter>:\Recycled) and C:\ProgramData\System\Dump (from <Drive_Letter>:\*).
Another new ObliqueRAT capability involves recursively enumerating files in the drives present on the endpoint. The file paths are all recorded to C:\ProgramData\DirecTree.txt (for the implant to later exfiltrate). The implant contains a hard-coded list of drives to enumerate:
C:\, D:\, F:\, G:\, H:\, I:\, J:\, K:\, L:\, M:\, N:\, O:\, P:\, Q:\, R:\, S:\, T:\, U:\, V:\, W:\, X:\, Y:\, Z:\
There are also new capabilities triggered by specific command codes from the command and control (C2) that were introduced in version 6.3.2:
Command code = “wes” ; Webcam screenshot
Capture current view of the webcam to a DIB file located at “C:\ProgramData\wsc”.
Code to grab webcam frames and save to a DIB file.
Command code = “sss” ; Desktop Screenshot
Capture current screen (screenshot) and save screenshot as a JPEG to “C:\ProgramData\tsc”.
The contents of the file are subsequently read and sent to the C2.
Code to capture a screenshot as bitmap and save to file.
Command code = “pizz” Command Data=<filename> & <ZIP_file_name>
Similar to command code “4”. Here, the implant accepts the names of the target file and an archive file. The target file is added to the archive file created at “C:\ProgramData\<archive_name>.zip”. However, in this case, the archive file is not exfiltrated to the C2 and is only created on the endpoint).
Command code = “plit” Command Data=<target filepath>
Receive a file path from the C2 for a file to read. The target file is read and then split into smaller files named “<target_filename>.part_<part_number>” and stored on disk. This capability can be used to break large files of interest into smaller chunks to prepare them for exfiltration.
This version contains minor changes to the ObliqueRAT implant including:
- Removal of the “backed” command from the implant. This command was used to back up the contents of one log file to another.
- Addition of more anti-infection keywords to check on the endpoint (specifically for Oracle VirtualBox VM detection).
- Addition of the “.csv” file extension to targeted file types list copied over from removable drives.
The only update seen in this minor version update of ObliqueRAT is a change in the naming convention of the Mutex created by the RAT.
The initial version of ObliqueRAT discovered in the wild by Talos created a mutex named “Oblique” on the system. The attackers then changed their naming convention and subsequent versions of ObliqueRAT discovered (and detailed in this post) follow a different naming convention:
v6.1 :”t802” - Naming convention changed for mutex
v6.3.5 :”gaia5” - Another change in Mutex naming convention (possible randomization).
Evolution of implants
The following is a timeline of the evolution of capabilities of the ObliqueRAT implants discovered so far:
- November 2019
Version 5.2 of ObliqueRAT created, eventually disclosed in February 2020 by Talos.
Distributed via maldocs containing embedded ObliqueRAT payloads.
2. April 2020
Version 6.1 of ObliqueRAT created.
Introduction of anti-infection techniques.
Added an empty command code “hb”.
3. September 2020
Version 6.3.2 of ObliqueRAT created.
Additional file enumeration and stealing capabilities.
Webcam and desktop screenshot and recording RAT capabilities and commands introduced.
Distribution via maldocs employing BMPs containing ObliqueRAT payloads.
4. October 2020
Version 6.3.4 of ObliqueRAT created — minor update.
More keywords added to anti-infection checks.
Housekeeping ability to backup log files removed.
Continued distribution via maldocs employing BMPs containing ObliqueRAT payloads.
5. November 2020
Version 6.3.5 of ObliqueRAT created - minor update.
Same functionalities as v6.3.4. Only mutex name changed.
Evolution of ObliqueRAT.
Our previous post on ObliqueRAT detailed its connections to CrimsonRAT and, subsequently, the links to the Transparent Tribe APT group targeting organizations in South Asia. We have also observed overlaps in the C2 infrastructure used between ObliqueRAT and a RevengeRAT campaign. Talos assesses with low confidence that there is a possible link between certain RevengeRAT campaigns and ObliqueRAT and its operators.
RevengeRAT is a .NET-based RAT whose source code was leaked publicly a few years ago. It has increasingly become a common practice for crimeware and state-sponsored groups to utilize leaked malware. This practice takes away the need to develop implants and C2 servers from scratch and increases the chances of misattribution.
This campaign shows a threat actor evolving their infection techniques so that they no longer resemble those used previously. It is highly likely that these changes are in response to previous disclosures to achieve evasion for these new campaigns. The usage of compromised websites is another attempt at detection evasion. The adversaries have also introduced steganography as a way to hide the ObliqueRAT payloads in image files. This technique is novel to ObliqueRAT’s distribution chain (not observed in the past). This new campaign distributing ObliqueRAT started in April 2020 and is still ongoing. This campaign also highlights that while network-based detection is important, it must be complemented with system behavior analysis and endpoint protections.
Ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.
Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.
Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.
5a425372fac8e62d4b5d5be8054967eabe1e41894bcb8c10e431dd2e06203ca0 bdb184f4c8416c271ad2490c1165ee4d6e2efcf82a1834ba828393c74e190705 926d3f258fe2278bd1d220fafb33f246f9db9014204337f05a25d072bb644b6d
Related RevengeRAT payloads
Blocklisted Usernames and Computer names
Blocklisted keywords for username and computername:
- hong lee
- joe cage
- peter miller
- joe smith
- paggy sue
- will carter
- eric johns
- john ca
- lebron james
Blocklisted process names
- CFF Explorer