Palo Alto Networks reported that hackers have used a custom remote access Trojan (RAT) in attacks related to South Korean organizations and the video gaming industry.
The custom trojan is called UBoatRAT and it’s distributed via Google Drive links. The RAT obtains its command and control (C&C) address from GitHub and uses Microsoft Windows Background Intelligent Transfer Service (BITS) for maintaining persistence.
UBoatRAT was first noticed in May, this year, when it was a simple HTTP backdoor using a public blog service in Hong Kong and a compromised web server in Japan for C&C. Since that time, the malware creator has added many new features and released updated some versions of the trojan. The analyzed attacks were spotted in September 2017.
Currently, the malware targets are not clear, however, the Palo Alto Networks experts think that they are related to Korea or the video games industry because of the Korean-language game titles, Korea-based game company names, and the words used in the video games business which were used for delivery.
According to the researchers, UBoatRAT performs malicious activities on the compromised machine only when joining an Active Directory Domain, meaning that most home user systems won’t be impacted because they are not part of a domain.
Usually, UBoatRAT is delivered via a ZIP archive hosted on Google Drive and containing a malicious executable file disguised as a folder or a Microsoft Excel spread sheet. The latest variants of the trojan masquerade are Microsoft Word document files.
After it’s running on a compromised machine, UBoatRAT checks for virtualization software such as VMWare, VirtualBox, QEmu, and tries to obtain Domain Name from the network parameters. In case the threat finds a virtual environment or fails to get the domain name, it shows a fake error message and quits the process.
In the other case, the trojan copies itself to C:\programdata\svchost.exe, creates and executes C:\programdata\init.bat, displays a specific message and quits.
UBoatRAT uses the Microsoft Windows Background Intelligent Transfer Service (BITS) for persistence and it’s able to run even after rebooting the system. The C&C address and the destination port are hidden in a file hosted on GitHub, and the malware accesses the file using a specific URL. A custom C&C protocol is employed for communication with the hacker’s server.
Among the backdoor commands received from the hacker are: alive (checks if the RAT is alive), online (keeps the RAT online), upfile (uploads file to compromised machine), downfile (downloads file from compromised machine), exec (executes process with UAC Bypass using Eventvwr.exe and Registry Hijacking), start (starts CMD shell), curl (downloads file from specified URL), pslist (lists running processes), and pskill (terminates specified process).
The Palo Alto experts have identified fourteen samples of UBoatRAT, as well as one downloader associated with the cyber attacks. The researchers have also associated the trojan with the GitHub account ‘elsa999’ and concluded that its creator has been frequently updating repositories.