Experts from Cisco Talos discovered a new malware, tracked as ObliqueRAT, that appears a custom malware developed by a threat actor focused on government and diplomatic targets.
The malware was employed in targeted attacks against organizations in Southeast Asia
“Cisco Talos has recently discovered a new
The most recent campaign started in January 2020 and is still ongoing.
The threat actor uses phishing messages with weaponized Microsoft Office documents to deliver the RAT.
The malicious documents trick victims into inserting a password contained in the message to view their contents. The VB script in the
The malicious VB script included in the documents, once activated, will extract a malicious binary and drop an executable which drops the ObliqueRAT.
VBScript creates the following shortcut in the currently logged in user’s Start-Up directory to achieve persistence:
“The RAT ensures that only one instance of its process is running on the infected endpoint at any given time by creating and checking for a
The malware implements evasion and anti-analysis checks to avoid the execution of the implant on a Sandbox or to prevent the execution of the implant in a test environment.
“This campaign shows a threat actor conducting a targeted distribution of