Thursday, February 13, 2025
HomeComputer SecurityObliqueRAT - A New RAT Malware Distributed Through Weaponized Office Documents Targeting...

ObliqueRAT – A New RAT Malware Distributed Through Weaponized Office Documents Targeting Government Organizations

Published on

SIEM as a Service

Follow Us on Google News

A new malware campaign dubbed ObliqueRAT using malicious Microsoft Office documents to target government organizations in Southeast Asia.

Researchers believe that the ObliqueRAT campaign linked with the CrimsonRAT campaign as they share the same similar maldocs and macros.

In this campaign, attackers use phishing Email messages with weaponized Microsoft Office documents to deliver the ObliqueRAT malware.

ObliqueRAT Infection Chain

The malware reaches the endpoints in the form of weaponized Microsoft Word documents, with the file names “Company-Terms.doc & DOT_JD_GM.doc“.

If the user opens the document it asks for a password to view the contents of the document. Once the correct password is entered, the VB script in the malicious document gets activated.

ObliqueRAT

The malicious script then creates a shortcut in the Start-Up directory to achieve persistence if the machine is rebooted.

The second stage of the payload is ObliqueRAT which has various features & functions, the RAT communicates with the C&C server and then execute the commands.

The malware checks for the process named “Oblique” running on the infected machine, if already process is running then RAT will stop the execution.

Next, it collects the system information and sent to the command and control server. Also, the malware has a list of blacklisted usernames & computer name.

ObliqueRAT

If the blacklisted values match then it stops execution on the infected computer. The check is to avoid malware execution in Sandbox based detection system.

The communication between the C&C server is hardcoded, it hides the C&C IP address and the port number. It receives various command codes from the control server and performs functionalities.

Cisco Talos researchers also “discovered another variation of the ObliqueRAT attack distributed via a malicious dropper. The malicious dropper contains 2 EXEs embedded in it that will be dropped to disk during execution to complete the infection chain.”

ObliqueRAT Capabilities

  • Able to execute commands on the infected system
  • Exfiltrate files from the computer
  • An Attacker can drop additional files
  • Able to terminate any running process
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Palo Alto PAN-OS Zero-Day Flaw Allows Attackers to Bypass Web Interface Authentication

Palo Alto Networks has disclosed a zero-day vulnerability in its PAN-OS software (CVE-2025-0108), allowing...

Enhancing Threat Detection With Improved Metadata & MITRE ATT&CK tags

The cybersecurity landscape continues to evolve rapidly, demanding more sophisticated tools and methodologies to...

Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability...

ZeroLogon Ransomware Exploits Windows AD to Hijack Domain Controller Access

A newly intensified wave of ransomware attacks has surfaced, leveraging the infamous ZeroLogon vulnerability...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability...

Ratatouille Malware Bypass UAC Control & Exploits I2P Network to Launch Cyber Attacks

A newly discovered malware, dubbed "Ratatouille" (or I2PRAT), is raising alarms in the cybersecurity...

EARLYCROW: Detecting APT Malware Command and Control Activities Over HTTPS

Advanced Persistent Threats (APTs) represent a sophisticated and stealthy category of cyberattacks targeting critical...