A new campaign pushing updated versions of the ObliqueRAT malware is using several new techniques to avoid detections, including hiding the malicious payload inside images hosted on compromised websites.
ObliqueRAT first surfaced about a year ago when researchers with Cisco’s Talos Intelligence Group discovered the malware and found that it shared some similarities with the CrimsonRAT. The two families had some overlap with the macros that they used and also employed similar malicious documents as part of the infection chain. In the past, the ObliqueRAT malware has been delivered through malicious Office documents that drop the payload directly onto victims’ machines. But the new campaign, which Talos researchers discovered recently, uses unique macros and no longer delivers the payload directly from the malicious documents, but rather from compromised sites.
The payload itself is buried within bitmap images files that look harmless. The malicious macros embedded in the Office documents used in this campaign download the images and then extract the payload and save it to disk.
“Another instance of a maldoc uses a similar technique with the difference being that the payload hosted on the compromised website is a BMP image containing a ZIP file that contains ObliqueRAT payload. The malicious macros are responsible for extracting the ZIP and subsequently the ObliqueRAT payload on the endpoint,” Asheer Malhotra said in a post detailing the new campaign.
“The macros are also responsible for achieving reboot persistence for the ObliqueRAT payloads. This is done by creating a shortcut (.url file extension) in the infected user's Startup directory.”
The campaign that’s employing the new techniques is targeting organizations in South Asia and there are several new versions of ObliqueRAT in use. All of the new versions were developed in 2020 and they include new capabilities, notably a pair of checks to see whether the malware is running in a virtual machine or on a computer that is included in a blocklist. Newer versions also include an expanded set of capabilities for stealing specific file types, as well the ability to record webcam video and take desktop screenshots.
“This campaign shows a threat actor evolving their infection techniques so that they no longer resemble those used previously. It is highly likely that these changes are in response to previous disclosures to achieve evasion for these new campaigns. The usage of compromised websites is another attempt at detection evasion,” Malhotra said.
In addition to the possible connection with the CrimsonRAT malware campaigns, Talos also discovered some overlap of the command-and-control infrastructure used by ObliqueRAT and an operation that installed a separate piece of malware, RevengeRAT. The code for RevengeRAT is freely available online, so tying it to a specific operator is tough. Malhotra said Talos researchers had low confidence that there’s a connection between the two operations, despite the C2 overlap.