{
	"id": "2449840d-71e1-45ac-b69b-10c6f76371cf",
	"created_at": "2026-04-06T01:31:35.794607Z",
	"updated_at": "2026-04-10T03:21:17.024492Z",
	"deleted_at": null,
	"sha1_hash": "3a0f9d0d906e8df660a51732eba33de88cdd8cf8",
	"title": "UBoatRAT Navigates East Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 499505,
	"plain_text": "UBoatRAT Navigates East Asia\r\nBy Kaoru Hayashi\r\nPublished: 2017-11-28 · Archived: 2026-04-06 01:10:04 UTC\r\nExecutive Summary\r\nPalo Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called\r\nUBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public\r\nblog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon\r\nadded various new features to the code and released an updated version in June. The attacks with the latest\r\nvariants we found in September have following characteristics.\r\nTargets personnel or organizations related to South Korea or video games industry\r\nDistributes malware through Google Drive\r\nObtains C2 address from GitHub\r\nUses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.\r\nTargets\r\nWe don't know the exact targets at the time of this writing. However, we theorize the targets are personnel or\r\norganizations related to Korea or the video games industry. One of the reasons for the hypothesis is the file names\r\nused by the attacker when delivering the malware. We see Korean-language game titles, Korea-based game\r\ncompany names and some words used in the video games business on the list. Another reason is that UBoatRAT\r\nperforms malicious activities on the compromised machine only when joining an Active Directory Domain. Most\r\nhome user systems are not part of a domain, and as such would not be impacted the same way. Below are some of\r\nthe file names associated with UBoatRAT deliveries. The first three file names are written in Korean and only\r\nincludes the general business topics. Last one contains unreleased game title, “Project W’ and the Korean-based\r\nvideo game company’s name.\r\n2017년 연봉인상 문의 사항관련 피드백 조사.exe (2017 annual salary raise inquiry related feedback\r\nsurvey)\r\n2017년 연봉인상 문의 사항관련 피드백 전달.exe (2017 annual salary raise feedback)\r\n[사업]roykim's_resumeexe ([Business]RyoKim's__resume__20170629.exe)\r\n[Project W]Gravity business cooperation.exe\r\nDelivery and Installation\r\nWe observed multiple variants of UBoatRAT delivered from Google Drive. Not all of the links were active at the\r\ntime of our analysis, but some (including the one below) were.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/\r\nPage 1 of 7\n\nFigure 1 Download from Google Drive\r\nThe zip archive hosted on Google Drive contains the malicious executable file disguised as a folder or a Microsoft\r\nExcel spread sheet. The latest variants of the UBoatRAT released in late July or later masquerade as Microsoft\r\nWord document files.\r\nFigure 2 Examples of UBoatRAT Masquerading\r\nWhen executed, the UBoatRAT checks for the following two conditions on the compromised machine.\r\nDetecting virtualization software such as VMWare, VirtualBox or QEmu.\r\nObtaining Domain Name from network parameters\r\nIf the RAT detects virtual environment or fails to get the domain name, it displays following fake error message\r\nand quits.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/\r\nPage 2 of 7\n\nFigure 3 Fake error message\r\nOtherwise, UBoatRAT copies itself as C:\\programdata\\svchost.exe, creates C:\\programdata\\init.bat and executes\r\nthe bat file. Then displays the following message and quits.\r\nFigure 4 Fake Error Message after installation\r\nPersistence with BITS\r\nUBoatRAT achieves persistence by using Microsoft Windows Background Intelligent Transfer Service(BITS).\r\nBITS is a service for transferring files between machines. Though the most famous application using the service is\r\nWindows Update, other applications or users can take advantage of the component. Bitsadmin.exe is a command-line tool user can create and monitor BITS jobs. The tool provides the option, /SetNotifyCmdLine which executes\r\na program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure\r\nit stays running on a system, even after a reboot.\r\nThe following is the contents of the init.bat. At the second line, the local file net.exe is specified to transfer to\r\n%temp%.log. After completing the copying the local file, BITS executes the UBoatRAT file configured with\r\n/SetNotifyCmdLine at the third line.\r\nbitsadmin /create d1f2g34\r\nbitsadmin /addfile d1f2g34 c:\\windows\\system32\\net.exe  %temp%\\sys.log\r\nbitsadmin /SetNotifyCmdLine d1f2g34 \"c:\\programdata\\svchost.exe\" \"\"\r\nbitsadmin /Resume d1f2g34\r\nDel %0\r\nThe BITS job keeps executing the malware periodically even if the computer reboots. To remove the job from the\r\nqueue, BITS needs to call Complete or Cancel explicitly. According to the article from Microsoft, the job remains\r\n90 days by default if you don't call Complete or Cancel.\r\n  C2 communication and backdoor commands\r\nThe attacker behind the UBoatRAT hides the C2 address and the destination port in a file hosted on Github, using\r\na URL like the following:\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/\r\nPage 3 of 7\n\nhttps://raw.githubusercontent[.]com/r1ng/news/master/README.md\r\nThe malware accesses the URL and decodes the characters between the string “[Rudeltaktik]” and character “!”\r\nusing BASE64. \"Rudeltaktik\" is the German military term which describes the strategy of the submarine warfare\r\nduring the World War II.\r\nIn the case below, the string can be decoded to 115.68.49[.]179:80.\r\n[Rudeltaktik]MTE1LjY4LjQ5LjE3OTo4MA==!\r\nUBoatRAT uses a custom command and control protocol to communicate with the attacker’s server.  The malware\r\nplaces the string '488' (0x34, 0x38, 0x38 in HEX) at the top of the payload or instruction and encrypts the entire\r\nbuffer with the static key 0x88 by using simple XOR cipher. Then the network payload always starts with 0xBC,\r\n0xB0, 0xB0.\r\nFigure 5 '488' marker\r\nFigure 6 Encrypted '488' marker by static key\r\nWe assume the attacker picks '488' from one of the German submarines because the author calls the RAT UBoat-Server.\r\nFigure 7 UBoat_Server in the malware\r\nAfter establishing a covert channel with C2, the threat waits following backdoor commands from the attacker.\r\nCommand Description\r\nalive Checks if whether the RAT is alive\r\nonline Keeps the RAT online by sending the packets to C2 periodically\r\nupfile Uploads file to compromised machine\r\ndownfile Downloads file from compromised machine\r\nexec Executes process with UAC Bypass using Eventvwr.exe and Registry Hijacking\r\nstart Starts CMD shell\r\ncurl Downloads file from specified URL\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/\r\nPage 4 of 7\n\npslist Lists running processes\r\npskill Terminates specified process\r\nDevelopment of UBoatRAT\r\nAt the time of this writing, we have identified fourteen samples of UBoatRAT and one downloader associated with\r\nthe attacks. Most of UBoatRAT samples retrieve C2 address from GitHub as described above. Only one sample\r\nreleased in May connected to public blog service in Hong Kong and compromised legitimate web server in Japan\r\nas C2. The sample uses regular HTTP protocol for communication. The account for the blog, 'elsa_kr' has existed\r\nsince April 2016 and has no meaningful contents at this moment.\r\nFigure 8 Public Blog used as C2\r\nThe author released a new version employing various new features in June. The early version of this new version\r\nobtains a C2 address from the repository 'uuu' owned by the GitHub account 'elsa999'. At the time of this writing,\r\nthe 'uuu' repository has been deleted. It has since been replaced by three other repositories ('uj', 'hhh' and 'enm') all\r\nhosting an encoded combination of IP address and port in the account. According to the file history, the author has\r\nfrequently been updating these files since July. After performing a quick analysis, we concluded these three\r\nrepositories are for development and testing purpose for following reasons.\r\nThey use the different marker '###NEWS###', instead of '[Rudeltaktik]'.\r\nThe encoded global IP addresses are different from known UBoatRAT samples.\r\nThe author always changes the encoded address back to localhost(127.0.0.1) in short period.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/\r\nPage 5 of 7\n\nFigure 9 GitHub account for testing\r\nThe 'elsa999' user also has the following three PowerShell scripts in their repositories. These scripts are written by\r\nother authors for penetration testing.\r\ngpp_autologon.ps1\r\ngpp_pwd.ps1\r\nwmi_scan.ps1\r\nConclusion\r\nThough the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999\r\naccounts on GitHub in October. The author seems to be vigorously developing or testing the threat. We will\r\ncontinue to monitor this activity for updates.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nAll samples discussed are classified as malicious by the WildFire and Threat Prevention\r\nTraps prevents the malware discussed in this report from executing\r\nAutoFocus users can track the malware described in this report using the UBoatRAT\r\nIndicators\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/\r\nPage 6 of 7\n\nUBoatRAT SHA256\r\nbf7c6e911f14a1f8679c9b0c2b183d74d5accd559e17297adcd173d76755e271\r\n6bea49e4260f083ed6b73e100550ecd22300806071f4a6326e0544272a84526c\r\ncf832f32b8d27cf9911031910621c21bd3c20e71cc062716923304dacf4dadb7\r\n7b32f401e2ad577e8398b2975ecb5c5ce68c5b07717b1e0d762f90a6fbd8add1\r\n04873dbd63279228a0a4bb1184933b64adb880e874bd3d14078161d06e232c9b\r\n42d8a84cd49ff3afacf3d549fbab1fa80d5eda0c8625938b6d32e18004b0edac\r\n7be6eaa3f9eb288de5606d02bc79e6c8e7fc63935894cd793bc1fab08c7f86c7\r\n460328fe57110fc01837d80c0519fb99ea4a35ea5b890785d1e88c91bea9ade5\r\n55dd22448e9340d13b439272a177565ace9f5cf69586f8be0443b6f9c81aa6e7\r\n9db387138a1fdfa04127a4841cf024192e41e47491388e133c00325122b3ea82\r\ne52d866e5b77e885e36398249f242f8ff1a224ecce065892dc200c57595bb494\r\neb92456bf3ab86bd71d74942bb955062550fa10248d67faeeeedd9ff4785f41e\r\n452b1675437ef943988c48932787e2e4decfe8e4c3bed728f490d55b3d496875\r\n66c2baa370125448ddf3053d59085b3d6ab78659efee9f152b310e61d2e7edb5\r\nDownloader SHA256\r\nf4c659238ffab95e87894d2c556f887774dce2431e8cb87f881df4e4d26253a3\r\nWeb Access\r\nhttps://raw.githubusercontent[.]com/r1ng/news/master/README.md\r\nhttps://raw.githubusercontent[.]com/elsa999/uuu/master/README.md\r\nhttp://www.ak(masked)[.]jp/images/ http://elsakrblog.blogspot[.]hk/2017/03/test.html\r\nC2\r\n115.68.49[.]179:80\r\n115.68.49[.]179:443\r\n60.248.190[.]36:443\r\n115.68.52[.]66:443\r\n115.68.49[.]180:443\r\n122.147.187[.]173:443\r\n124.150.140[.]131:443\r\nFile\r\nC:\\programdata\\init.bat\r\nC:\\programdata\\svchost.exe\r\nSource: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
	],
	"report_names": [
		"unit42-uboatrat-navigates-east-asia"
	],
	"threat_actors": [],
	"ts_created_at": 1775439095,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a0f9d0d906e8df660a51732eba33de88cdd8cf8.pdf",
		"text": "https://archive.orkl.eu/3a0f9d0d906e8df660a51732eba33de88cdd8cf8.txt",
		"img": "https://archive.orkl.eu/3a0f9d0d906e8df660a51732eba33de88cdd8cf8.jpg"
	}
}