Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/2/2021
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'ObliqueRAT' Now Hides Behind Images on Compromised Websites

'Transparent Tribe' has switched its tactics for distributing the remote access Trojan, researchers found.

In the latest example of threat actors quickly shifting gears when their methods are discovered and exposed publicly, the operator of the remote access Trojan ObliqueRAT has now changed its infection tactics.

Researchers from Cisco Talos recently discovered that the so-called Transparent Tribe attack group behind ObliqueRAT is using malicious Microsoft Office documents to point users to compromised websites hosting its malicious payload. In previous campaigns, the attackers had used the weaponized Office documents to drop ObliqueRAT directly onto the victim's system. But now it's hiding the malware in seemingly benign image files on compromised websites, and using the poisoned Office documents merely to direct victims to the payload.

Related Content:

'Transparent Tribe' APT Group Deploys New Android Spyware for Cyber Espionage

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

Steganography, hiding malicious code inside an image, is not new. But Cisco Talos threat researcher Asheer Malhotra says this technique of using malicious documents to point users to payloads in image files isn't very common. "The fact that this threat actor is now using this technique—that they've never used before—is interesting," Malhotra says. "This shows that the actors are constantly designing new infection techniques and evolving their capabilities with a focus on stealth."

ObliqueRAT is a Trojan that has been associated with campaigns targeting organizations in South Asia. The malware is equipped to primarily spy on users, including via the system webcam. It can take screenshots, steal files, and gives attackers the ability to deliver malicious content and execute arbitrary commands on compromised systems. Proofpoint, Kaspersky, and others that also have been tracking the group say Transparent Tribe is a highly active APT that has been operational since at least 2013 and mainly targeting Indian military targets and diplomatic offices including those based in Saudi Arabia and Kazakhstan.

Malhotra says that Cisco Talos researchers have been unable to determine exactly how the attackers are delivering the malicious Microsoft Office documents to victims. One possibility is that they are distributing it via an email-based infection vector, which is how a majority of malware is delivered these days. Another possibility is that the attacker is using URLs to deliver the malicious documents rather than email attachments.

Once the malicious document is on a system, the attackers simply need to trick the victim into opening the document. A malicious macro within the document is trigged when the document is closed. "The macro will fetch and decode the malicious ObliqueRAT payload from a compromised website," Malhotra says. "ObliqueRAT is then executed on the targeted endpoint using a malicious shortcut created by the macro in the currently logged-in user's Startup directory."

Malhotra says Cisco Talos also is unsure about the methods the attackers might be using to compromise websites and to plant a poisoned image file with the ObliqueRAT payload. Potential infection vectors could include everything from easily guessed weak credentials to known exploits hitting outdated and unpatched hosting platforms.

Just this week, Sophos reported on another threat actor likely using similar techniques to breach vulnerable websites and inject content. The attackers trick search engines into treating the infected site as a trustworthy source; in that campaign, too, the threat actor has been constantly evolving the malware and the malware distribution technique to try and stay one step ahead of defenders.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...