Cybersecurity company Cisco Talos has discovered a new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. And this new campaign deploys the ObliqueRAT payload and utilizes completely different macro code to download, with the attackers haven also updated the infection chain to deliver ObliqueRAT via hijacked websites.
The new malware campaign targeting organizations in South Asia utilizes malicious Microsoft Office documents forged with macros to spread ObliqueRAT.
What is the Mode of Operation of ObliqueRAT?
Previously, ObliqueRAT mode of operation, according to Cisco Talos, overlapped with another threat actors known as Transparent Tribe whose campaign in December 2019 was to disseminate CrimsonRAT, but the currentattacks differs in some key ways.
Besides the fact that it use of a completely different macro code to download and deploy the ObliqueRAT payload, the campaign operators have updated the delivery mechanism by cloaking the malware in seemingly innocous bitmap image files (.BMP files) on a network of adversary-controlled websites.
Additionally, the payload hosted on the hijacked website is simply a BMP image containing a ZIP file with the ObliqueRAT payload, and the malicious macros are responsible for extracting the ZIP and subsequently the ObliqueRAT payload on the endpoint.
The attack goal is to trick victims to open the emails containing the maldocs, which opened, will direct the victim to the ObliqueRAT payload using malicious URLs and ultimately export sensitive data from the victim's system.
How to Mitigate against such Email-based Malware attacks
Given that main attack vector remains the email, it is advised that users should desist from opening suspicious email and its attachements.
Additionally, they should use advanced malware protection solutions such as that offered by Cisco which is a better alternative to the in-built Windows protection.