Cybercriminals are now deploying remote access Trojans (RATs) under the guise of seemingly innocuous images hosted on infected websites, once again highlighting how threat actors quickly change tactics when their attack methods are discovered and exposed publicly.
New research released by Cisco Talos reveals an active malware campaign targeting organizations in South Asia that utilize malicious Microsoft Office documents forged with macros to spread a RAT that goes by the name of ObliqueRAT.
First documented in February 2020, the malware has been linked to a threat actor tracked as Transparent Tribe (aka Operation C-Major, Mythic Leopard, or APT36), a highly prolific group allegedly of Pakistani origin known for its attacks against human rights activists in the country as well as military and government personnel in India.
While the ObliqueRAT modus operandi previously overlapped with another Transparent Tribe campaign in December 2019 to disseminate CrimsonRAT, the new wave of attacks differs in two crucial ways.
In addition to making use of a completely different macro code to download and deploy the RAT payload, the operators of the campaign have also updated the delivery mechanism by cloaking the malware in seemingly benign bitmap image files (.BMP files) on a network of adversary-controlled websites.
"Another instance of a maldoc uses a similar technique with the difference being that the payload hosted on the compromised website is a BMP image containing a ZIP file that contains ObliqueRAT payload," Talos researcher Asheer Malhotra said. "The malicious macros are responsible for extracting the ZIP and subsequently the ObliqueRAT payload on the endpoint."
Regardless of the infection chain, the goal is to trick victims into opening emails containing the weaponized documents, which, once opened, direct victims to the ObliqueRAT payload (version 6.3.5 as of November 2020) via malicious URLs and ultimately export sensitive data from the target system.
But it's not just the distribution chain that has received an upgrade. At least four different versions of ObliqueRAT have been discovered since its discovery, which Talos suspects are changes likely made in response to previous public disclosures, while also expanding on its information-stealing capabilities to include a screenshot and webcam recording features and execute arbitrary commands.
The use of steganography to deliver malicious payloads is not new, as is the abuse of hacked websites to host malware.
In June 2020, Magecart groups were previously found to hide web skimmer code in the EXIF metadata for a website's favicon image. Earlier this week, researchers from Sophos uncovered a Gootkit campaign that leverages Search Engine Optimization (SEO) poisoning in hopes of infecting users with malware by directing them to fake pages on legitimate but compromised websites.
But this technique of using poisoned documents to point users to malware hidden in image files presents a shift in infection capabilities with an aim to slip through without attracting too much scrutiny and stay under the radar.
"This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections," the researchers said. "Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms."