Researchers at Cisco Talos have come across a new RAT (Remote Access Trojan) that they are calling ObliqueRAT. The new RAT appears to be targeting Southeast Asian organizations through attached Word documents with macros. Cisco Talos also believes there may be a connection between ObliqueRAT and a campaign that delivered CrimsonRAT in December 2019, due to similar document attachments and macros. The macro in the Word document is responsible for extracting the embedded second-stage payload from the document and creating a shortcut under the logged-in user’s startup directory. Unlike most infections, the macro does not execute ObliqueRAT after establishing its persistence. The RAT has the typical features anyone could expect, such as host fingerprinting, C2 (Command and Control) communication for commands, data exfiltration, etc. Unique to ObliqueRAT however, is a system folder check which looks for the path, “C:\ProgramData\System\Dump.” If the directory is present on the victim system, the RAT will send the keyword “Yes” to the C2, otherwise, it will send “No.” During their analysis, Cisco Talos also discovered a slight variant being distributed through an executable dropper instead of malicious documents. It is not currently known how that dropper is being spread.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased