bykiwi12-05-201705:33 AM - edited 12-05-201708:52 AM
The initial RAT code (Remote Access Trojan) was discovered in May this year. With added features to the code, the new variant UBoatRAT has nothing to do with a RAT on a submarine.
While it's still unclear what the exact targets are, Unit 42 believes that the targets are personnel and organizations related to the Korean gaming industry.
The distribution of the malware happens through Google Drive, and it achieves persistence by using Microsoft Windows Background Intelligent Transfer Service (BITS), a service for transferring files between machines, used by Windows Update. UBoatRAT takes advantage of BITS to ensure it stays running on a system, even after a reboot.
The command and control (C2) address is obtained from GitHub and the malware uses a custom C2 protocol to communicate with the attacker's server.
The malware places the string '488' at the top of the payload, which might be a reference to one of the German submarines seeing that the author calls the RAT UBoat-Server.
The latest version of the malware was released in September, but multiple updates have been seen on GitHub, which might indicate that the author is developing or testing the threat.
Check out all the details and how Palo Alto Networks customers are protected from this threat on the Unit 42 blog!