ObliqueRAT
ObliqueRAT is a Remote Access Trojan that can upload files and general system information for assisting attackers with controlling or spying on the PC. Its campaigns target victims in Southeast Asia currently and may include government, military or NGO networks. Users should protect themselves through anti-malware services for removing ObliqueRAT and watching for e-mail-based infection vectors.
A Trojan with Dangers Far from Inexplicit
Although its name might suggest differently, ObliqueRAT is far from a difficult-to-identify threat; instead, it uses very traditional infection methods and leverages just-as-ordinary attacks as per the previously-established standards of Remote Access Trojans. ObliqueRAT is part of an ongoing series of attacks against yet-to-be-publicized targets in Southeast Asia – the same stomping grounds as the fabled STOP Ransomware family. While ObliqueRAT has very different purposes than the extortionist ones of file-locking Trojans, it's a potent tool for hackers that include members of the CrimsonRAT threat group potentially.
ObliqueRAT has behaviors that one might copy-and-paste from similar RATs, like the Parallax RAT or Sakula. The Windows Trojan checks for system information related to a possible sandbox (a software-isolated environment that's often associated with program analysis or extreme security) and can self-terminate if it finds it. It also can launch attacks including:
- Closing other programs' processes
- Downloading additional files
- Executing the files that it downloads
- Harvesting system information and uploading it to the threat actor's server
- Collecting arbitrarily-determined files from the PC
Out of all of its features, malware researchers only verify one unusual addition: a minor variation of its file-exfiltration function. ObliqueRAT includes a secondary version of the attack that's hard-coded for targeting the ProgramData's system dump subfolder, for unknown reasons – possibly, a leftover debugging function.
Clearing Up the Obliqueness of a Trojan's Travels
ObliqueRAT's payload holds few surprises for the seasoned cyber-security researcher. In the same way, its infection methods are maintaining the usual standards that dozens of RAT campaigns and similar software espionage expeditions erected in the past. ObliqueRAT is infecting systems by tricking users into opening harmful documents, which deploy a first-stage payload of a Trojan dropper. The Trojan then 'drops' and installs the Remote Access Trojan.
Samples of ObliqueRAT's delivering documents are using names related to the target's workplace and include password protection – with the password, probably, being part of an accompanying e-mail message. An embedded Visual Basic exploit triggers the first Trojan. Like most RATs, ObliqueRAT is always active after it's installation and will persist over reboots.
Users can delete ObliqueRAT, if necessary, with traditional, Windows-compatible anti-malware solutions. If the Trojan terminates the program's memory process, users can resort to additional solutions, such as booting from a safe USB device.
Whether ObliqueRAT is another version of a CrimsonRAT attack tool, or something else, it's the software incarnation of a stranger handling your data and belongings at will. What that means for Asia is, however, still anyone's guess.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.