Thursday, March 13, 2025
Follow us On Linkedin
HomeComputer SecurityObliqueRAT - A New RAT Malware Distributed Through Weaponized Office Documents Targeting...

ObliqueRAT – A New RAT Malware Distributed Through Weaponized Office Documents Targeting Government Organizations

Computer SecurityMalware

Published on

By Gurubaran
ObliqueRAT

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

A new malware campaign dubbed ObliqueRAT using malicious Microsoft Office documents to target government organizations in Southeast Asia.

Researchers believe that the ObliqueRAT campaign linked with the CrimsonRAT campaign as they share the same similar maldocs and macros.

In this campaign, attackers use phishing Email messages with weaponized Microsoft Office documents to deliver the ObliqueRAT malware.

ObliqueRAT Infection Chain

The malware reaches the endpoints in the form of weaponized Microsoft Word documents, with the file names “Company-Terms.doc & DOT_JD_GM.doc“.

If the user opens the document it asks for a password to view the contents of the document. Once the correct password is entered, the VB script in the malicious document gets activated.

ObliqueRAT

The malicious script then creates a shortcut in the Start-Up directory to achieve persistence if the machine is rebooted.

The second stage of the payload is ObliqueRAT which has various features & functions, the RAT communicates with the C&C server and then execute the commands.

The malware checks for the process named “Oblique” running on the infected machine, if already process is running then RAT will stop the execution.

Next, it collects the system information and sent to the command and control server. Also, the malware has a list of blacklisted usernames & computer name.

ObliqueRAT

If the blacklisted values match then it stops execution on the infected computer. The check is to avoid malware execution in Sandbox based detection system.

The communication between the C&C server is hardcoded, it hides the C&C IP address and the port number. It receives various command codes from the control server and performs functionalities.

Cisco Talos researchers also “discovered another variation of the ObliqueRAT attack distributed via a malicious dropper. The malicious dropper contains 2 EXEs embedded in it that will be dropped to disk during execution to complete the infection chain.”

ObliqueRAT Capabilities

  • Able to execute commands on the infected system
  • Exfiltrate files from the computer
  • An Attacker can drop additional files
  • Able to terminate any running process
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

APT

Blind Eagle Targets Organizations with Weaponized .URL Files to Steal User Hashes

In a significant development in the cybersecurity landscape, APT-C-36, more commonly known as Blind...
Press Release

INE Security Alert: Using AI-Driven Cybersecurity Training to Counter Emerging Threats

As Artificial Intelligence (AI)-powered cyber threats surge, INE Security, a global leader in cybersecurity...
CVE/vulnerability

Apache NiFi Vulnerability Exposes MongoDB Credentials to Attackers

A critical security vulnerability has been identified in Apache NiFi, a popular open-source data...
Amazon AWS

86,000+ Healthcare Staff Records Exposed Due to AWS S3 Misconfiguration

A non-password-protected database belonging to ESHYFT, a New Jersey-based HealthTech company, was recently discovered...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

cyber security

North Korean Hackers Use Google Play Malware to Steal SMS, Calls & Screenshots

Cybersecurity researchers at Lookout Threat Lab have uncovered a sophisticated Android surveillance tool dubbed...
cyber security

Fake CAPTCHA Malware Exploits Windows Users to Run PowerShell Commands

In early February 2025, Trustwave SpiderLabs uncovered a resurgence of a malicious campaign leveraging...
Cyber Security News

North Korean Hackers Deploy DocSwap Malware Disguised as Security Tool

In a recent cybersecurity threat discovery, the S2W Threat Research and Intelligence Center Talon...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved