ObliqueRAT Uses Innocuous Images to Hide Malicious Payloads
It’s been discovered that the ObliqueRAT malware is now utilizing seemingly-innocent image files to hide its malicious payloads that are now hidden on compromised websites. Operating since 2019, the remote access Trojan (RAT) spreads via emails, which contain malicious Microsoft Office documents attached. Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they’re redirected to malicious URLs where the payloads are hidden with steganography.
Researchers warn that this new tactic has been seen helping ObliqueRAT operators to avoid detection during the malware’s targeting of various organizations in South Asia — where the goal is to ultimately sends victims an email with malicious Microsoft Office documents, which, once clicked, fetch the payloads and ultimately exfiltrate various data from the victim.
The known activity for ObliqueRAT dates back to November 2019, part of a campaign targeting entities in Southeast Asia and uncovered by Cisco Talos researchers in February 2020. ObliqueRAT operators have always used emails with malicious attachments as an initial infection vector. Generally the infection chain uses an initial executable, which acts as a dropper for ObliqueRAT itself. Once it infected systems, ObliqueRAT exfiltrates various information, including system data, a list of drives and a list of running processes.
The newly discovered ObliqueRAT attack chain was part of a campaign that started in May last year – but which was only recently uncovered by researchers. In addition to the use of URL redirects, the payloads themselves have also been given an update, now consisting of seemingly benign bitmap image files (BMP). The image files contain both legitimate image data and malicious executable bytes concealed in the image data, said researchers.
This is a well-known tactic used by threat actors, called steganography. Attackers hide malware in image files as a way to circumvent detection. That’s because many filters and gateways let image file formats pass without too much scrutiny.
The initial email sent to victims contains malicious documents with new macros, which redirect users to the malicious URLs containing these payloads. The malicious macros consequently download the BMP files, and the ObliqueRAT payload is extracted to the disk.
This updated payload delivery technique gives attackers a leg up in sidestepping detection.
Further Reading: