Skip to content

S0644 ObliqueRAT

ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.12

Item Value
ID S0644
Associated Names
Version 1.0
Created 08 September 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder ObliqueRAT can gain persistence by a creating a shortcut in the infected user’s Startup directory.1
enterprise T1025 Data from Removable Media ObliqueRAT has the ability to extract data from removable devices connected to the endpoint.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.1
enterprise T1030 Data Transfer Size Limits ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.1
enterprise T1083 File and Directory Discovery ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography ObliqueRAT can hide its payload in BMP images hosted on compromised websites.1
enterprise T1120 Peripheral Device Discovery ObliqueRAT can discover pluggable/removable drives to extract files from.1
enterprise T1057 Process Discovery ObliqueRAT can check for blocklisted process names on a compromised host.1
enterprise T1113 Screen Capture ObliqueRAT can capture a screenshot of the current screen.1
enterprise T1082 System Information Discovery ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.1
enterprise T1033 System Owner/User Discovery ObliqueRAT can check for blocklisted usernames on infected endpoints.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.12
enterprise T1125 Video Capture ObliqueRAT can capture images from webcams on compromised hosts.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.1

Groups That Use This Software

ID Name References
G0134 Transparent Tribe 13