S0644 ObliqueRAT
ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.12
| Item | Value |
|---|---|
| ID | S0644 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 08 September 2021 |
| Last Modified | 15 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | ObliqueRAT can gain persistence by a creating a shortcut in the infected user’s Startup directory.1 |
| enterprise | T1025 | Data from Removable Media | ObliqueRAT has the ability to extract data from removable devices connected to the endpoint.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.1 |
| enterprise | T1030 | Data Transfer Size Limits | ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.1 |
| enterprise | T1083 | File and Directory Discovery | ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.003 | Steganography | ObliqueRAT can hide its payload in BMP images hosted on compromised websites.1 |
| enterprise | T1120 | Peripheral Device Discovery | ObliqueRAT can discover pluggable/removable drives to extract files from.1 |
| enterprise | T1057 | Process Discovery | ObliqueRAT can check for blocklisted process names on a compromised host.1 |
| enterprise | T1113 | Screen Capture | ObliqueRAT can capture a screenshot of the current screen.1 |
| enterprise | T1082 | System Information Discovery | ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.1 |
| enterprise | T1033 | System Owner/User Discovery | ObliqueRAT can check for blocklisted usernames on infected endpoints.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.12 |
| enterprise | T1125 | Video Capture | ObliqueRAT can capture images from webcams on compromised hosts.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0134 | Transparent Tribe | 13 |
References
-
Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021. ↩↩
-
N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. ↩