Researchers at Cisco Talos have come across a new RAT (Remote Access Trojan) that they are calling ObliqueRAT. The new RAT appears to be targeting Southeast Asian organizations through attached Word documents with macros. Cisco Talos also believes there may be a connection between ObliqueRAT and a campaign that delivered CrimsonRAT in December 2019, due to similar document attachments and macros. The macro in the Word document is responsible for extracting the embedded second-stage payload from the document and creating a shortcut under the logged-in user’s startup directory. Unlike most infections, the macro does not execute ObliqueRAT after establishing its persistence. The RAT has the typical features anyone could expect, such as host fingerprinting, C2 (Command and Control) communication for commands, data exfiltration, etc. Unique to ObliqueRAT however, is a system folder check which looks for the path, “C:ProgramDataSystemDump.” If the directory is present on the victim system, the RAT will send the keyword “Yes” to the C2, otherwise, it will send “No.” During their analysis, Cisco Talos also discovered a slight variant being distributed through an executable dropper instead of malicious documents. It is not currently known how that dropper is being spread.
ObliqueRAT, along with many other malware families can be prevented with basic security practices and awareness. The initial infection comes from malicious Word document attachments with macros. Always be cautious of unknown senders asking to open attached files of any kind. Many phishing lures use images or text warnings that a document was created in a different version of Word and that macros or document editing should be enabled to allow a viewing. Do not enable editing or macros in these documents! The use of anti-virus solutions is another layer of defense that may help in the case of one of these documents successfully executing their payload. Anti-virus solutions should be kept up-to-date at all times. Enterprise environments can also take advantage of EDR (Endpoint Detection and Response) or MDR (Managed Detection and Response) solutions as well to be alerted of any suspicious activity before a threat spreads too far within the network. DLP (Data Loss Prevent) solutions may also help defend against exfiltration by monitoring for sensitive data like PII (Personally Identifiable Information) being sent externally.