On Thursday, Cisco Talos researchers said the malware, which it's called ObliqueRAT, is developing a new campaign mainly targeting Southeast Asia.
Attachments have innocent names, such as Company-Terms.doc or DOT_JD_GM.doc, which may be abbreviated as "Department of Telecommunications_Job Description_General Manager".
Files also seem to be password protected, a technique that may have been designed to make documents look legitimate and safe in corporate settings. The credentials required to open the file may be contained in the main body of the email "fishing"
If the victim enters the password and opens the document, a malicious VB script is triggered, exporting a malicious binary file and downloading an executable, which acts as a dropper for ObliqueRAT.
Talos described RAT as simple, containing the basic functions of a typical Trojan, including the ability to export files and system data for transfer to a command and control server, the functionality to receive and execute additional payloads, and the ability to terminate existing ones. procedures.
An interesting one feature however, it is that malware looks for a specific directory to steal the files it contains. The name of the directory is C: \ ProgramData \ System \ Dump.
To avoid detection, malware will also check the system name and information for signs that the computer is "sandboxed".
According to Talos, the similarities between how the RAT is propagated and the variables used in maliciously VBA documents indicate a possible link to CrimsonRAT, a group that has previously been linked to attacks on diplomatic and political organizations in the same area.