{
	"id": "4b5ff1bf-399c-4057-bc0c-6c2843e1a425",
	"created_at": "2026-04-06T00:10:01.919999Z",
	"updated_at": "2026-04-10T13:11:20.331809Z",
	"deleted_at": null,
	"sha1_hash": "3232bc8eaa636c9d64b3e11ff745f45174f24e72",
	"title": "ObliqueRAT: New RAT hits victims' endpoints via malicious documents",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 708964,
	"plain_text": "ObliqueRAT: New RAT hits victims' endpoints via malicious\r\ndocuments\r\nBy Asheer Malhotra\r\nPublished: 2020-02-20 · Archived: 2026-04-05 22:43:43 UTC\r\nBy Asheer Malhotra.\r\nCisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents\r\n(maldocs) to spread a remote access trojan (RAT) we’re calling “ObliqueRAT.”\r\nThese maldocs use malicious macros to deliver the second stage RAT payload.\r\nThis campaign appears to target organizations in Southeast Asia.\r\nNetwork based detection, although important, should be combined with endpoint protections to combat this\r\nthreat and provide multiple layers of security.\r\nWhat’s New?\r\nCisco Talos has recently discovered a new campaign distributing a malicious remote access trojan (RAT) family\r\nwe’re calling “ObliqueRAT.” Cisco Talos also discovered a link between ObliqueRAT and another campaign from\r\nDecember 2019 distributing CrimsonRAT sharing similar maldocs and macros. CrimsonRAT has been known to\r\ntarget diplomatic and government organizations in Southeast Asia.\r\nHow did it work?\r\nThis RAT is dropped to a victim’s endpoint using malicious Microsoft Office Documents (maldocs). The maldocs\r\naim to achieve persistence for the second-stage implant that contains a variety of RAT capabilities, which we’re\r\ncalling “ObliqueRAT.” In this post, we illustrate the core technical capabilities of the maldocs and the RAT\r\ncomponents including:\r\nThe maldocs based infection chain\r\nA variant distributed using a dropper EXE.\r\nDetailed capabilities and command codes of the RAT implant (2nd stage payload).\r\nCommunication mechanisms used.\r\nSo what?\r\nThis malware is an example of how a simple, yet effective RAT, is used to implement a wide variety of malicious\r\ncapabilities. Key capabilities of ObliqueRAT include:\r\nAbility to execute arbitrary commands on an infected endpoint.\r\nAbility to exfiltrate files.\r\nAbility to drop additional files.\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 1 of 21\n\nAbility to terminate process on the infected endpoint etc.\r\nAnalysis of a recently discovered preliminary variant of ObliqueRAT in this post presents insights into the\r\nevolution of this threat. Analyses of the key similarities and differences between the two campaigns of\r\nObliqueRAT and CrimsonRAT show us the changes in tactics and techniques of the attackers used to continue\r\nattacks while trying to bypass detections. This campaign also shows us that while network-based detection is\r\nimportant, it can be complemented with system behavior analysis and endpoint protections for additional layers of\r\nsecurity.\r\nAnalysis of Maldocs\r\nInitial Infection Vector\r\nThis threat arrives on the endpoint in the form of malicious Microsoft Word documents. The malicious documents\r\n(maldocs) prompt the end-user for a password to view the contents of the maldocs. The malicious VB script in the\r\nmaldocs is activated once the user enters the correct password for the document.\r\nThe maldocs have been known to have seemingly benign file names in the wild such as:\r\nCompany-Terms.doc\r\nDOT_JD_GM.doc\r\n[DOT_JD_GM may possibly stand for “Department Of Telecommunications_Job Description_General Manager”]\r\nThese file names indicate that the maldocs may be targeted towards specific individuals as part of a targeted\r\ndistribution campaign. The initial infection vector of this threat is most likely email based with the body of the\r\nmalicious email containing the password required to open the maldocs.\r\nMalicious VBA Analysis\r\nOnce opened, the maldoc activates a malicious VBA script that performs the following malicious activities:\r\n1. Extracts the contents of a form/textbox.\r\n2. This content consists of an MS Windows binary embedded as a character representation of the binary’s\r\nbytes delimited using a specific character (e.g. “O” used as a delimiter).\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 2 of 21\n\nDelimited Malicious MZ embedded in maldoc highlighted.\r\n1. The malicious binary is extracted from the maldoc by the VBA script and dropped on the endpoint to the\r\nlocation:\r\nC:\\Users\\Public\\sgrmbrokr.doc\r\n1. The file is consequently renamed to an exe : C:\\Users\\Public\\sgrmbrokr.exe\r\n2. The malicious VBScript then creates a shortcut in the currently logged in user’s Start-Up directory to\r\nachieve persistence across reboots for the malicious executable (MZ) written to the file system in previous\r\nsteps. The shortcut created is:\r\n%userprofile%\\\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\saver.url\r\n1. Once the shortcut is created the VBScript stops execution without executing the actual second-stage\r\npayload (ObliqueRAT).\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 3 of 21\n\nMalicious VBA script in madocs\r\nSecond-stage payload analysis: ObliqueRAT\r\nThe second-stage binary (ObliqueRAT) contains the following features:\r\nRAT capabilities (detailed below).\r\nAbility to communicate with the command and control server (C2) to obtain command codes and send\r\nback executed command outputs.\r\nThreat Grid detects this implant as malicious.\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 4 of 21\n\nThreat Grid behavioral indicators for the implant.\r\nImplant’s core capabilities\r\nThe RAT analyzed consists of the following capabilities.\r\nMutex Creation\r\nThe RAT ensures that only one instance of its process is running on the infected endpoint at any given time by\r\ncreating and checking for a mutex named “Oblique”. If the named mutex already exists on the endpoint then the\r\nRAT will stop executing until the next login of the infected user account.\r\nMutex creation by implant\r\nGather initial system fingerprint\r\nOnce the malware has created the named mutex, it attempts to gather an initial fingerprint of the system to identify\r\nthe system. This information is then sent to the operating C2 to fingerprint the system to decide which commands\r\nto send next.\r\nSysinfo gathered by the RAT:\r\nComputer Name.\r\nCurrent User Account Name.\r\nWindows operating system (OS) version in the form of a textual representation. Values include:\r\nXP\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 5 of 21\n\nXP SP2\r\nVista\r\n7\r\n8\r\n8.1\r\n10\r\nOS bitness i.e.\r\n64 bits\r\n32 bits\r\nDirectory  \u0026 File Check: A unique feature of the RAT is that it looks for the presence of a specific directory\r\nand all files residing inside it. The directory path (folderpath) is hardcoded in the RAT:\r\nC:\\ProgramData\\System\\Dump\r\nIf this directory is present on the infected system then the RAT sends the keyword “Yes” to its C2 and “No”\r\notherwise.\r\nAnother hard coded value from the implant “5.2” is sent to the C2. (May indicate version number of the\r\nimplant)\r\nThe sysinfo gathered by the implant is then put together as a single string with the character “\u003e” used as a\r\ndelimiter.\r\nFormat used:\r\n(_variable_ = used for depicting a variable value)\r\n_ComputerName_\u003e_UserName_\u003eWindows _version-string_\u003e_implant-name-on-disk_\u003e_OS-bitness_\u003e_Dump_dir_files_exist_\u003e_hardcoded_implant_version_number_\u003e\r\nE.g.\r\nDESKTOP-SCOTTPC\u003ejon\u003eWindows 10\u003esgrmbrokr\u003e64 bits\u003eYes\u003e5.2\u003e\r\nAlthough the implant gathers the system information initially, it only sends this information out if it receives a\r\nspecific command code from the C2. The implant also performs anti-infection checks before it fully activates\r\nitself on the endpoint.\r\nAnti-Infection Checks\r\nAnother interesting feature in the implant is that after it gathers the preliminary system information for\r\nfingerprinting, it performs a series of checks against the user and computer name it has obtained to identify an\r\nendpoint or user account it must avoid its execution on/for. If any of the values from its blacklist match the current\r\nuser/computer name, it simply stops its execution.\r\nThe usernames blacklisted by the implant are:\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 6 of 21\n\nJohn\r\nTest\r\nJohsnson\r\nArtifact\r\nVince\r\nSerena\r\nLisa\r\nJOHNSON\r\nVINCE\r\nSERENA\r\nA similar check is done for the computer name as well. The list of computer name values blacklisted by the\r\nimplant are:\r\nJOHN\r\nTEST\r\nBlacklisted user \u0026 computer names in the implant\r\nThe anti-infection checks may have been implemented to:\r\nAvoid successful execution of the implant on a Sandbox based detection system (Anti-Analysis Technique)\r\nOR\r\nPrevent execution of the implant in the attackers’ test environment.\r\nRAT command codes and functionalities\r\nThe implant then connects to its C2 server using hardcoded values of its IP Address and Port Number.\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 7 of 21\n\nImplant connecting to hardcoded C2 server.\r\nOn connection, the implant receives a command code from the C2 that corresponds to the capability the implant is\r\nsupposed to execute next on the endpoint. Also, everytime the implant receives a command from the C2 it sends\r\nback an acknowledgement message to the C2 indicating that it has received the command code.\r\nThe acknowledgment sent to the C2 is always the keyword “ack”\r\n“ack” sent to the C2 as an acknowledgment\r\nThe command codes, supporting command data (both sent by the C2) and capability description are detailed\r\nbelow.\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 8 of 21\n\nCommand Code = “5” Command Data = \u003cfilename or folderpath\u003e\r\nThis command code is used to find files and record file sizes in KB for files specified by a specific folder or file\r\npath. The data gathered by the implant is in format:\r\n(_variable_ = used for depicting a variable value)\r\n_filepath_\u003c_size_in_KB_;_filepath_\u003c_size_in_KB_;\r\nE.g.\r\npony.txt\u003c4;bigpony.txt\u003c100;\r\nCommand Code = “0” Command Data = None\r\nSend the already gathered system information (sysinfo) described previously to the C2 server for fingerprinting\r\nthe infected host.\r\nImplant sending initial sysinfo to its C2 server.\r\nCommand Code = “1” Command Data = None\r\nThis command is aimed to trigger the implant to discover the category of various drives on the endpoint. The\r\ndrives to be checked for are listed as hardcoded drive letters in the implant:\r\nA:\r\nB:\r\nC:\r\nD:\r\nE:\r\nF:\r\nG:\r\nH:\r\nI:\r\nJ:\r\nK:\r\nL:\r\nThe drive types for the drives checked on the system are represented textually by the implant using the following\r\nkeywords:\r\nUnknown\r\nRemovable Drive\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 9 of 21\n\nHard Drive\r\nNetwork Drive\r\nCD Drive\r\nRAM Disk\r\nThe data sent out for this command is in format:\r\n(_variable_ = used for depicting a variable value)\r\n_drive-letter_\u003e_Drive-type_|_drive-letter_\u003e_Drive-type_|\r\nE.g.\r\nC:\u003eHard Drive|D:\u003eCD Drive|\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 10 of 21\n\nDrive letters and identification strings in the implant.\r\nCommand Code =”4” Command Data=\u003cfilename\u003e \u0026 \u003cZIP_file_name\u003e\r\nReceive a target filename and ZIP filename from the C2server. Create a new ZIP file with the name provided in\r\nthe %temp% directory and add the target file to it. Once done, send the contents of the ZIP file to the C2 server.\r\nThe ZIP file is subsequently deleted from the endpoint after exfiltration.\r\nThe implant also records the target filename that has been exfiltrated (in ZIP form) from the endpoint to a log file\r\ncalled: %temp%\\lgb\r\nLog file containing the list of files exfiltrated from the endpoint.\r\nCommand Code =”4a” or “4e” Command Data=\u003ctarget filename\u003e\r\nVariant of command code “4.” The difference here is that the implant doesn’t require a different ZIP file name\r\nfrom the C2 it simply uses the name of the target filename and creates a ZIP file.\r\nE.g. if the target file name is “abc.txt” then the ZIP file name is “abc.txt.ZIP”\r\nCommand Code =”6” Command Data=\u003cfolder path\u003e\r\nAccept a folder path from the C2 server, recursively find all files residing in the folders and ZIP them up into a\r\nZIP file with the same name as the folder path specified by the C2. (The ZIP file is created in the operating\r\ndirectory of the implant). This ZIP file is then exfiltrated by the implant to the C2 and subsequently deleted.\r\nCommand Code =”3” Command Data=\u003cfoldername\u003e\r\nVariant of command code =”5”. The difference here is that implant accepts only a foldername and recursively\r\ncalculates the file sizes and builds the list of filepaths and filesizes in the same format:\r\n_filepath_\u003c_filesize_;_filepath_\u003c_filesize_;_filepath_\u003c_filesize_;\r\nCommand Code =”7” Command Data=\u003ccommand_line\u003e\r\nExecute given command line on the endpoint with a high priority (The output of the command executed on the\r\nendpoint is not sent back to the C2 though).\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 11 of 21\n\nSample command executed by the implant on the endpoint.\r\nCommand Code =”8” Command Data=\u003cfilename\u003e , \u003cfilesize\u003e \u0026 \u003cfile_contents\u003e\r\nThis command is used by the implant to write a file sent by the C2 to the infected endpoint. To achieve this\r\nfunctionality the implant recvs the following info from the C2 server:\r\nPath of the file to be written to on disk.\r\nSize of the file to be being sent by the C2.\r\nContents of the file to be written to disk.\r\nCommand Code =”backed” Command Data= None\r\nBackup the contents of the lgb log file to another file. The backup is done\r\nFrom = %temp%\\lgb\r\nTo = %temp\\lgb2\r\nThe implant reads the lgb log file character by character and writes it to the lgb2 file. On encountering a newline\r\ncharacter, the newline is replaced by “*\\n” instead.\r\nOnce the backup is done the implant will remove the “lgb” log file and then rename the lgb2 file back to “lgb”\r\n(Convoluted backup mechanism used here).\r\nCommand Code =”rnm” Command Data= \u003cold_filename\u003e \u0026 \u003cnew_filename\u003e\r\nRename a file to a new name provided by the C2.\r\nFile rename capability of the implant.\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 12 of 21\n\nCommand Code =”tsk” Command Data= None\r\nThis command is used to gather the list of running processes on the system, record this information to a log file\r\nand exfiltrate the contents of the log file. Once the log file has been sent to the C2 it is removed from the endpoint.\r\nLog filepath used = C:\\ProgramData\\a.txt\r\nLog file format =\r\nRunning Processes\r\n\u003cprocess_image_name\u003e\r\n\u003cprocess_image_name\u003e\r\n\u003cprocess_image_name\u003e\r\n.\r\n.\r\n.\r\nProcess list snippet written to log file by the implant.\r\nCommand Code =”exit” Command Data= None\r\nStop execution of implant on the endpoint without removing persistence from Star-tUp folder.\r\nCommand Code =”restart” Command Data=\r\nRestart the socket connection to the C2.\r\nCommand Code =”kill” Command Data=\u003cprocess_name\u003e\r\nFind all processes by the name specified by the C2 and terminate them.\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 13 of 21\n\nThe implant’s capability to terminate processes running on the endpoint.\r\nCommand Code =”auto” Command Data= Custom\r\nThis command code is used to trigger a recursive search sweep of one or more directories specified by the C2\r\nserver. This sweep is done to verify the presence of files specified by a filename. The data specified by the C2 is:\r\nFolder path(s) to find files in.\r\nFile name(s) to find.\r\nFile extension(s) to find files.\r\nAny files matching the specified criteria are logged into the file C:\\ProgramData\\auto.txt\r\nFormat:\r\n_folderpath_\u003e_filename1_,_filename2_,_filenameN_\u003c_file-extn1_,_file-extn2_,_file-extnN_\r\nE.g.\r\nIf the command data sent by the C2 is:\r\nc:\\dummy\u003epony.txt,blah.exe\u003ctxt,exe\r\nThen if these files exist, the log file (“auto.txt”) will contain:\r\nc:\\dummy\\pony.txt\r\nc:\\dummy\\blah.exe\r\nThe log file (auto.txt) is then read and the contents are sent to the C2 followed by its deletion.\r\nCommand Code =”rht” Command Data= \u003cfilepath\u003e\r\nThis command is used to delete (remove) a file specified by the C2 server from the endpoint.\r\nRAT(Implant’s) Communication Mechanisms\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 14 of 21\n\nObliqueRAT utilizes the ws2_32.dll library to communicate with its C2. This library is used to implement the core\r\nsocket libraries supported by MS Windows.\r\nKeywords used by the RAT  during communication are:\r\n“ack” = Acknowledgment of the command code received as well as an indicator of successful command\r\nexecution.\r\n“nak” = Indicates failure to execute functionality without providing reason for failure to the C2.\r\nVariant #0 - ObliqueRAT\r\nCisco Talos also discovered another variation of the ObliqueRAT attack distributed via a malicious dropper. The\r\nmalicious dropper contains 2 EXEs embedded in it that will be dropped to disk during execution to complete the\r\ninfection chain. The initial distribution vector of this dropper is currently unknown.\r\nVariant #0 Artifacts:\r\nDropper EXE:\r\n4a25e48b8cf515f4cdd6711a69ccc875429dcc32007adb133fb25d63e53e2ac6\r\nObliqueRAT Variant #0 EXE:\r\n9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c\r\nPersistence Component EXE:\r\nad17ada0171b9e619000902e62b26b949afb01b974a65258e4a7ecd59c248dba\r\nVariant #0 Dropper Analysis\r\nThe dropper consists of one EXE with another two additional EXEs embedded in it. During execution the dropper\r\nwill perform the following activities:\r\nIf specific file markers exist in the dropper’s binary file on disk: (Markers used= “***”)\r\n1. If the markers exist then read the data between the markers (there will be 2 such markers for 2 embedded\r\nEXEs) and write it to files on disk:\r\nC:\\Users\\Public\\Video\\hrss.exe\r\nC:\\Users\\Public\\Video\\lphsi.exe\r\n1. Execute these files using the ShellExecute API.\r\nIf the markers do not exist then it will package its components into a new copy of itself:\r\n1. Look for files named “a.exe” and “b.exe” in the current working directory and read their contents into\r\nmemory.\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 15 of 21\n\n2. Rename itself (the dropper) to “fin.exe”.\r\n3. Append to itself (fin.exe) the magic markers specified (“***”) and the contents of “a.exe” and “b.exe”\r\nthereby completing the packing process.\r\nObliqueRAT component Functionalities (lphsi.exe)\r\nThe ObliqueRAT sample dropped by the dropper has the same capabilities as the ObliqueRAT sample discussed\r\nabove. There is a slight variation though (discussed in the comparison section below).\r\nThe 2nd EXE (hrss.exe) executed by the dropper is used only to establish persistence for the ObliqueRAT sample\r\n(lphsi.exe). This is done by creating a shortcut in the currently logged in user’s Start-Up directory to execute\r\nObliqueRAT whenever the user logs into the infected endpoint.\r\nShortcut created: %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\script.lnk\r\nMalicious shortcut (script.lnk) used for persistence.\r\nVariant  #0 Comparison\r\nVariant #0 (9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c) discovered by Cisco\r\nTalos looks like a preliminary version of the ObliqueRAT attack detailed in this post\r\n(37c7500ed49671fe78bd88afa583bfb59f33d3ee135a577908d633b4e9aa4035).\r\nThis is because of the following factors:\r\n1. Variant #0 has an earlier compile time of 04/11/2019 12:12:04 UTC while the ObliqueRAT implant\r\ndetailed in this post has a later compile time of 27/11/2019 08:40:10 UTC.\r\n2. Although the hardcoded version number of both the implants is “5.2”, variant #0 contains an additional\r\nfeature where, if the implant fails to connect to the C2 server it will display any of two Message Boxes\r\nconsisting of:\r\nTitle = scokerr\r\nText = sockerror\r\nand\r\nTitle = grace\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 16 of 21\n\nText = grace\r\nThis indicates that variant #0 may be a test copy of ObliqueRAT that was released into the wild by the attackers\r\nwithout scrubbing the Message Boxes used for debugging the C2 connection functionality (Thus identified as\r\n“Variant #0”).\r\nThe malicious VBA Scripts in the maldocs discovered by Talos semantically resemble a previously observed\r\nmaldoc distribution campaign (from 2019) delivering another .NET based RAT family popularly known as\r\nCrimsonRAT. CrimsonRAT has been known to target  organizations in Southeast Asia.\r\nAn example of a maldoc (from December 2019) observed distributing the CrimsonRAT malware is:\r\n965b90d435c1676fa78cdce1eee2ec70e3194c0e4f0d993bc36bfd9f77697969\r\nThe CrimsonRAT sample dropped by the maldoc is:\r\n98894973a86aa01c4f7496ae339dc73b5e6da2f1dbcd5fe1215f70ea7b889b85\r\nSimilarities Between the Two Campaigns\r\nThis CrimsonRAT maldoc although not password protected (as in the case of the maldocs containing\r\nObliqueRAT) contains the following similarities w.r.t the ObliqueRAT maldocs:\r\nSimilar VB variable naming conventions for filenames, folder names, ZIP file names:\r\nE.g.\r\nThe ObliqueRAT VBScripts use variables named:\r\nfile_Salan_name,  fldr_Salan_name, zip_Salan_file\r\nwhile the CrimsonRAT VBScripts use variables named:\r\nfile_Allbh_name, fldr_Allbh_name, zip_Allbh_file\r\nSimilar decoding technique for the next stage payload:\r\nBoth sets of VBScripts extract the embedded next stage payload from a form (textbox) where the bytes of the next\r\nstage payload are character representations (of decimal numbers) delimited by a specific character.\r\nDifferences Between the Two Campaigns\r\nThe CrimsonRAT maldocs drop the next stage payload to a ZIP file (E.g.\r\n%allusersprofile%\\intaRD\\thnaviwa.ZIP) on the filesystem.\r\nHowever the ObliqueRAT maldocs drop the RAT payload directly to a file named:\r\nC:\\Users\\Public\\sgrmbrokr.exe\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 17 of 21\n\nAs mentioned above, the CrimsonRAT maldocs drop a malicious ZIP file on the disk first and then extract\r\nthe EXE within the archive file. This malicious EXE (.NET based CrimsonRAT) is then executed on the\r\ninfected endpoint.\r\nThe ObliqueRAT maldocs however simply drop the malicious EXE (ObliqueRAT EXE) directly on the filesystem,\r\ncreate a shortcut in the infected user’s StartUp folder. The EXE is not executed and the malware relies on the user\r\nto re-login for the ObliqueRAT infection to trigger.\r\nObliqueRAT VBA (Left) vs CrimsonRAT VBA (Right) code\r\nConclusion\r\nThis campaign shows a threat actor conducting a targeted distribution of maldocs similar to those utilized in the\r\ndistribution of CrimsonRAT. However, what stands out here is that the actor is now distributing a new family of\r\nRATS. Although it isn’t technically sophisticated, ObliqueRAT consists of a plethora of capabilities that can be\r\nused to carry out various malicious activities on the infected endpoint. The fact that the maldocs are password\r\nprotected (and that the ObliqueRAT implant consists of probable anti-analysis techniques) indicates the attackers’\r\nintent to hide the malicious activities of the infection from an analyst. This campaign started in January 2020 and\r\nis still ongoing. This campaign also shows us that while network-based detection is important, it must be\r\ncomplemented with system behavior analysis and endpoint protections.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 18 of 21\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nAMP Detections\r\nAMP detects the ObliqueRAT implants as follows:\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 19 of 21\n\nObliqueRAT AMP detection\r\nObliqueRAT variant #0 AMP detection\r\nIndicators Of Compromise (IOCs)\r\nThe following IOCs are related to this threat:\r\nObliqueRAT\r\nMaldocs\r\n057da080ae0983585ae21195bee60d82664355a7fd78c25f21791b165c250212\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 20 of 21\n\ndfad2a80dac91e7703266197ebbf5d67ef77467ab341dd491ad25d92d8118cac\r\nDropper (for Variant #0)\r\n4a25e48b8cf515f4cdd6711a69ccc875429dcc32007adb133fb25d63e53e2ac6\r\n2nd Stage Malicious EXEs\r\nObliqueRAT - 37c7500ed49671fe78bd88afa583bfb59f33d3ee135a577908d633b4e9aa4035\r\nVariant #0 - 9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c\r\nPersistence Component\r\nad17ada0171b9e619000902e62b26b949afb01b974a65258e4a7ecd59c248dba\r\nMutexes Created by 2nd Stage EXEs:\r\n“Oblique”\r\nC2 IP Addresses and URLs:\r\n185[dot]117.73.222:3344\r\nCrimsonRAT\r\nMaldocs\r\n965b90d435c1676fa78cdce1eee2ec70e3194c0e4f0d993bc36bfd9f77697969\r\nNext Stage Malicious ZIPs \u0026 EXEs\r\n3671b7ed9f67098d2a534673ed9ff46e90c03269c0bdd9b6f39ae462915ecdcb [ZIP]\r\n2911a3da2299817533ca27a0d44c8234fdf9ecd0a285358041da245581673d6f [ZIP]\r\n98894973a86aa01c4f7496ae339dc73b5e6da2f1dbcd5fe1215f70ea7b889b85 [exe]\r\ne436be68cdbdb7ea20e5640ad5fa5eca1da71edb9943c3bde446b4c75dacfbd0 [exe]\r\nSource: https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nhttps://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html"
	],
	"report_names": [
		"obliquerat-hits-victims-via-maldocs.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434201,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3232bc8eaa636c9d64b3e11ff745f45174f24e72.pdf",
		"text": "https://archive.orkl.eu/3232bc8eaa636c9d64b3e11ff745f45174f24e72.txt",
		"img": "https://archive.orkl.eu/3232bc8eaa636c9d64b3e11ff745f45174f24e72.jpg"
	}
}