Cisco Talos researchers discovered a new malware, tracked as ObliqueRAT, that was employed targeted attacks against organizations in Southeast Asia.

Experts from Cisco Talos discovered a new malware, tracked as ObliqueRAT, that appears a custom malware developed by a threat actor focused on government and diplomatic targets.

The malware was employed in targeted attacks against organizations in Southeast Asia

“Cisco Talos has recently discovered a new campaign distributing a malicious remote access trojan (RAT) family we’re calling “ObliqueRAT.” Cisco Talos also discovered a link between ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT sharing similar maldocs and macros.” reads the analysis published by the exp erts. “CrimsonRAT has been known to target diplomatic and government organizations in Southeast Asia.”

The most recent campaign started in January 2020 and is still ongoing.

The threat actor uses phishing messages with weaponized Microsoft Office documents to deliver the RAT.

The malicious documents trick victims into inserting a password contained in the message to view their contents. The VB script in the maldocs is activated once the user enters the correct password for the document, a technique was already observed by other attackers in the wild.

The maldocs used in this campaign have benign file names such as “Company-Terms.doc”, “DOT_JD_GM.doc.”

The malicious VB script included in the documents, once activated, will extract a malicious binary and drop an executable which drops the ObliqueRAT.

VBScript creates the following shortcut in the currently logged in user’s Start-Up directory to achieve persistence:

%userprofile%\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saver.url

The experts from Cisco Talos believe the ObliqueRAT malware is quite simply as effective, it implements the following key capabilities:

Ability to execute arbitrary commands on an infected endpoint.

Ability to exfiltrate files.

Ability to drop additional files.

Ability to terminate process on the infected endpoint etc.

Experts noticed a unique feature implemented by the authors of the RAT, the malware looks for the presence of a specific directory and all files residing inside it. The directory path is hardcoded in the malicious code: C:\ProgramData\System\Dump.

“The RAT ensures that only one instance of its process is running on the infected endpoint at any given time by creating and checking for a mutex named Oblique,” the researchers say. “If the named mutex already exists on the endpoint then the RAT will stop executing until the next login of the infected user account.”

The malware implements evasion and anti-analysis checks to avoid the execution of the implant on a Sandbox or to prevent the execution of the implant in a test environment.

Experts found similarities between the ObliqueRAT and the CrimsonRAT, Cisco Talos discovered that the way the malware is being distributed by the attackers is similar. Other similarities are related to the VBA script variables used in malicious documents.

CrimsonRAT is another malware family employed group previously connected to attacks against diplomatic and political organizations in the same region.

“This campaign shows a threat actor conducting a targeted distribution of maldocs similar to those utilized in the distribution of CrimsonRAT. However, what stands out here is that the actor is now distributing a new family of RATS.” concludes the report. “Although it isn’t technically sophisticated, ObliqueRAT consists of a plethora of capabilities that can be used to carry out various malicious activities on the infected endpoint.”

Pierluigi Paganini