ObliqueRAT Linked To Threat Group Launching Attacks Against Government Targets (Feb 21, 2020)
Cisco Talos researchers have identified a new Remote Access Trojan (RAT) that is targeting Southeast Asia. The malware, named “ObliqueRAT”, started in January 2020 and is currently ongoing. Using phishing emails, Microsoft Office documents pretending to be employer-related documents are being sent to diplomatic and government personale. A malicious Visual Basic script that extracts a binary and drops an executable will run if the user inputs the provided credentials into the password protected document. The RAT can exfiltrate files and system data, communicate with a Command-and-Control (C2) server, gain persistence through startup process, avoids detection by checking for sandbox use, ability to download additional payloads and terminate processes.
Recommendation: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.