UBoatRAT targets East Asia

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

The initial RAT code (Remote Access Trojan) was discovered in May this year.  With added features to the code, the new variant UBoatRAT has nothing to do with a RAT on a submarine.

 

uboatrat.gif

While it's still unclear what the exact targets are, Unit 42 believes that the targets are personnel and organizations related to the Korean gaming industry.

 

The distribution of the malware happens through Google Drive, and it achieves persistence by using Microsoft Windows Background Intelligent Transfer Service (BITS), a service for transferring files between machines, used by Windows Update. UBoatRAT takes advantage of BITS to ensure it stays running on a system, even after a reboot.

 

The command and control (C2) address is obtained from GitHub and the malware uses a custom C2 protocol to communicate with the attacker's server.

 

The malware places the string '488' at the top of the payload, which might be a reference to one of the German submarines seeing that the author calls the RAT UBoat-Server.

 

The latest version of the malware was released in September, but multiple updates have been seen on GitHub, which might indicate that the author is developing or testing the threat.

 

Check out all the details and how Palo Alto Networks customers are protected from this threat on the Unit 42 blog!

 

-Kiwi out.

  • 6744 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Labels
Top Liked Authors