Wednesday, September 30, 08:28
Home security ObliqueRAT is associated with a group that attacks governments

ObliqueRAT is associated with a group that attacks governments


A new Remote Access Trojan (RAT), discovered by security researchers, appears to be linked to a group hacking specializing in attacks against governments and diplomats.

On Thursday, Cisco Talos researchers said the malware, which it's called ObliqueRAT, is developing a new campaign mainly targeting Southeast Asia.

The last campaign started in January 2020 and is still ongoing. The hacker use phishing emails as their primary means of attack, to which they attach attachments Microsoft Office with malware.

Attachments have innocent names, such as Company-Terms.doc or DOT_JD_GM.doc, which may be abbreviated as "Department of Telecommunications_Job Description_General Manager".

Files also seem to be password protected, a technique that may have been designed to make documents look legitimate and safe in corporate settings. The credentials required to open the file may be contained in the main body of the email "fishing"

If the victim enters the password and opens the document, a malicious VB script is triggered, exporting a malicious binary file and downloading an executable, which acts as a dropper for ObliqueRAT.

Talos described RAT as simple, containing the basic functions of a typical Trojan, including the ability to export files and system data for transfer to a command and control server, the functionality to receive and execute additional payloads, and the ability to terminate existing ones. procedures.

An interesting one feature however, it is that malware looks for a specific directory to steal the files it contains. The name of the directory is C: \ ProgramData \ System \ Dump.

To avoid detection, malware will also check the system name and information for signs that the computer is "sandboxed".

According to Talos, the similarities between how the RAT is propagated and the variables used in maliciously VBA documents indicate a possible link to CrimsonRAT, a group that has previously been linked to attacks on diplomatic and political organizations in the same area.


Please enter your comment!
Please enter your name here

Absent Mia
Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement


How to use the YEAR function in Microsoft Excel

If you need to quickly export the year from a date in Microsoft Excel, you can use the YEAR function. This will ...

5G: Nokia wins deal after Huawei shut down!

Nokia has signed a major 5G agreement with the largest British telecommunications group BT, after the exclusion of Huawei!

Palmerworm hackers have been hiding in corporate networks for months

The company Symantec reported that the attacks against organizations in the USA, Japan, Taiwan and China are carried out with the aim of ...

Cannabis: Covid-19 has dramatically increased its users worldwide

The global pandemic seems to be driving consumers to cannabis, and vaporizer manufacturers are setting record sales. From newly established companies to ...

Security concern after Airbnb breach

Last week, the popular Airbnb platform reported a series of privacy breaches in its application, which endangered personal information ...

Bitcoin: Holder convicted of participating in fraud

A federal judicial committee has convicted a bitcoin exchange owner of participating in an online auction fraud. On September 28, a federal ...

Hackers attacked Washington public services

According to sources, hackers have launched an extensive, multifaceted cyber attack against the state of Washington.

How to connect Disney + with Google Assistant

Chromecast, Android TV and smart screens work great with Google Assistant. You can easily use your voice ...

Ransomware 2020: How have organizations around the world been affected?

Ransomware is one of the most dangerous and common threats facing organizations around the world. The ransomware attacks ...

An Amazon executive used corporate information for her personal transactions

On Monday, the SEC (US Securities and Exchange Commission) said that at least from January 2016 to July 2018, the ...