Skip to content

S0333 UBoatRAT

UBoatRAT is a remote access tool that was identified in May 2017.1

Item Value
ID S0333
Associated Names
Version 1.1
Created 29 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols UBoatRAT has used HTTP for C2 communications.1
enterprise T1197 BITS Jobs UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell UBoatRAT can start a command shell.1
enterprise T1105 Ingress Tool Transfer UBoatRAT can upload and download files to the victim’s machine.1
enterprise T1027 Obfuscated Files or Information UBoatRAT encrypts instructions in the payload using a simple XOR cipher.1
enterprise T1057 Process Discovery UBoatRAT can list running processes on the system.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.1