Phishing Email messages are sent to employ ObliqueRat malware targeting government organizations in Southeast Asia. According to experts at Cisco Talos, ObliqueRAT shares similar maldocs and macros with CrimsonRAT campaign from December 2019. The victims receive the threat on endpoint as a malicious document (maldocs), to view the document user is asked for a password. On entering the correct password, the VB script in the malicious document gets activated. Once the machine is rebooted, it creates a shortcut in the Start-Up directory to achieve persistence. The RAT communicates with the C&C server and execute commands. Malware ensures that only one of its process is running at a time by performing the checks called ‘Oblique’, if one is already running then RAT stops the execution on the infected system.
Maldocs reaches the user with benign files named:
Company-Terms.doc
DOT_JD_GM.doc
Malware collects the system information and forwards it to the command control server. To avoid malware execution in sandbox-based detection system, a check is executed on the blacklisted usernames and computer names, if any blacklisted values match, it stops the execution.
The ObliqueRAT can:
- Execute commands on the infected system.
- Exfiltrate files from the computer.
- terminate any running process on the infected endpoint. And
- An attacker can drop additional files.