ObliqueRAT, a Remote Access Trojan that was first discovered in early 2020, has received an update that now disguises the payload in image files on compromised websites, according to an article published on ZDNet. The RAT has been updated to include many new features, the most notable being the use of steganographic payloads to embed zip files in images. These malicious images are downloaded by ObliqueRAT’s maldoc stager, and the zip file is extracted by the maldoc macros. While there are no solid attributions, ObliqueRAT has been connected to campaigns distributing CrimsonRAT and also possibly RevengeRAT.
Analyst Notes
As these infections stem from malicious macro-laden document files distributed as email attachments, Binary Defense recommends using great care when enabling macros, as macros from untrusted sources may result in malware deployment. Additionally, Binary Defense recommends employing a 24/7 SOC solution, such as Binary Defense’s own Security Operations Task Force, to quickly detect when unusual processes and behavior occurs on employee workstations and respond to stop the threat before attackers move laterally and take control of the domain.
Source: https://www.zdnet.com/article/obliquerat-trojan-now-hides-in-images-on-compromised-websites/
