image
The ObliqueRAT malware is now cloaking its payloads as seemingly-innocent image files that are hidden on compromised websites. The remote access trojan (RAT), which has been operating since 2019, spreads via emails, which have malicious Microsoft Office documents attached. Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they’re redirected to malicious URLs where the payloads are hidden with steganography. Researchers warn that this new tactic has been seen helping ObliqueRAT operators to avoid detection during the malware’s targeting of various organizations in South Asia — where the goal is to ultimately sends victims an email with malicious Microsoft Office documents, which, once clicked, fetch the payloads and ultimately exfiltrate various data from the victim. “This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections,” said Asheer Malhotra, researcher with Cisco Talos, on Tuesday. “Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.” What is the ObliqueRAT Malware? The known activity for ObliqueRAT dates back to November 2019, part of a campaign targeting entities in Southeast Asia and uncovered by Cisco Talos researchers in February 2020. ObliqueRAT operators have always used emails with malicious attachments as an…

Source