Cybercriminals at the moment are deploying distant entry Trojans (RATs) beneath the guise of seemingly innocuous photos hosted on contaminated web sites, as soon as once more highlighting how menace actors rapidly change techniques when their assault strategies are found and uncovered publicly.
New analysis launched by Cisco Talos reveals a brand new malware marketing campaign focusing on organizations in South Asia that make the most of malicious Microsoft Workplace paperwork cast with macros to unfold a RAT that goes by the identify of ObliqueRAT.
First documented in February 2020, the malware has been linked to a menace actor tracked as Transparent Tribe (aka Operation C-Main, Mythic Leopard, or APT36), a extremely prolific group allegedly of Pakistani origin identified for its assaults in opposition to human rights activists within the nation in addition to army and authorities personnel in India.
Whereas the ObliqueRAT modus operandi beforehand overlapped with one other Clear Tribe marketing campaign in December 2019 to disseminate CrimsonRAT, the brand new wave of assaults differs in two essential methods.
Along with making use of a totally totally different macro code to obtain and deploy the RAT payload, the operators of the marketing campaign have additionally up to date the supply mechanism by cloaking the malware in seemingly benign bitmap picture recordsdata (.BMP recordsdata) on a community of adversary-controlled web sites.
“One other occasion of a maldoc makes use of the same method with the distinction being that the payload hosted on the compromised web site is a BMP picture containing a ZIP file that incorporates ObliqueRAT payload,” Talos researcher Asheer Malhotra said. “The malicious macros are liable for extracting the ZIP and subsequently the ObliqueRAT payload on the endpoint.”
Whatever the an infection chain, the objective is to trick victims into opening emails containing the weaponized paperwork, which, as soon as opened, direct victims to the ObliqueRAT payload (model 6.3.5 as of November 2020) through malicious URLs and in the end export delicate information from the goal system.
However it’s not simply the distribution chain that has acquired an improve. No less than 4 totally different variations of ObliqueRAT have been found since its discovery, which Talos suspects are adjustments seemingly made in response to earlier public disclosures, whereas additionally increasing on its information-stealing capabilities to incorporate a screenshot and webcam recording options and execute arbitrary instructions.
The usage of steganography to ship malicious payloads is just not new, as is the abuse of hacked web sites to host malware.
In June 2020, Magecart teams have been beforehand discovered to hide web skimmer code within the EXIF metadata for a web site’s favicon picture. Earlier this week, researchers from Sophos uncovered a Gootkit campaign that leverages Search Engine Optimization (search engine optimisation) poisoning in hopes of infecting customers with malware by directing them to faux pages on professional however compromised web sites.
However this system of utilizing poisoned paperwork to level customers to malware hidden in picture recordsdata presents a shift in an infection capabilities with an intention to slide by with out attracting an excessive amount of scrutiny and keep beneath the radar.
“This new marketing campaign is a typical instance of how adversaries react to assault disclosures and evolve their an infection chains to evade detections,” the researchers stated. “Modifications within the ObliqueRAT payloads additionally spotlight the utilization of obfuscation methods that can be utilized to evade conventional signature-based detection mechanisms.”