New ObliqueRAT Malware Campaign Now Integrates Steganography, Researchers Finds

Security researchers have identified a new malware campaign designed to infect host machines with ObliqueRAT, a remote access Trojan, with the help of malicious Microsoft Office documents.

Infecting email attachments, usually Microsoft Office docs, is a favorite tactic of attackers. It’s a simple method, and it works, but even these methods change from time to time. Catching infected attachments is not difficult for security solutions, so attackers must develop ways to circumvent cybersecurity software.

Instead of delivering infected docs, the attackers changed to the way they deploy the ObliqueRAT malware eventually. Instead of dropping the required files from the infected attachment, the new method relies on redirecting the user to click on a malicious link, leading to a valid BMP image. 

“This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections,” say the Cisco Talos researchers. “Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms. While file-signature and network-based detection is important, it can be complemented with system behavior analysis and endpoint protections for additional layers of security.”

Attackers first have to achieve persistence, which they do by adding a shortcut to the malicious URL into Windows startup. The image hosted on the website also contains executable bytes hidden in the image data bytes, allowing attackers to deploy the trojan. It’s a deployment technique named “steganography,” and while it’s not new, it’s yet another layer of obfuscation attackers use to try to evade security solutions.

ObliqueRAT is clearly becoming more complex with each iteration. Now, the malware campaign is growing as well, with threat actors trying hard to avoid detection by adding new obfuscation techniques. It’s an ongoing process, and they will likely continue with new techniques and change their M.O to try to stay ahead of the game.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top