The infamous ObliqueRAT Trojan is now camouflaging itself as harmless photo and image documents on compromised websites 

The ObliqueRAT i.e the Oblique Remote Access Trojan had been detected back in early 2020 when it started making its presence known.

The ObliqueRAT Trojan had been tracked back to South Asia since it started initiating the trojan attacks.

Originally, it was presumed that the ObliqueRAT Trojan was a simple ‘RAT’, showing the standard characteristics and functionalities of a trojan aimed at data poach. 

Typical Trojan mal-abilities include file exfiltration, data theft, as well as the termination of existing processes, and connection to command-and-control servers. These trojans can also scan for evidence directing that a target victim is sandboxed.

Sandboxing, in particular, is a reverse-engineering process for trojans implemented by cybersecurity experts.

Initiating the ObliqueRAT trojan:

Since its early breakthrough,  the ObliqueRAT Trojan has been updated with new technical malware abilities and employs an extensive set of infection media.

In recent reports, the ObliqueRAT Trojan was observed to be deploying the RAT in a similar area and has modified how the malware is served on target systems.

The immediate implementation of the trojan was initiated via Microsoft Office documents that were sent using phishing and scam emails to a victim containing malicious macros.

However, a recent analysis of the trojan detected the deployment of these maldocs that route victims to malicious websites, most likely to evade email security controls.

According to cybersecurity experts, steganography, a technique used for stashing code, images, files, documents, and video content in other file formats, is being administered in the trojan. 

Experts have discovered .BMP files concealing malicious ObliqueRAT Trojan payloads.

Victim websites host these .BMP files that are hacked by bad actors. Part of these files contains somewhat authentic data however, executable bytes are also hidden in RGB data. When these bytes are viewed by the target, it triggers a. ZIP file that downloads trojan. 

According to the experts, the malicious macros are hidden in the maldoc extract the archive file, and deploy the ObliqueRAT Trojan on the victim’s system. 

Variants of the ObliqueRAT trojan:

In total, four new versions of the malware have been recently discovered and appear to have been developed between April and November 2020.

Improvements include checks for blocklisted endpoints and computer names, as well as the inclusion of the ability to extract files from external storage. A new command prompt, as of yet unassigned, also indicates that additional updates will occur in the future.

A total of four variants of the trojan have been found that are acquiring targets. Development of the trojan is suspected to be between the months of April to November. 

Research indicates that the newer capabilities include checks for blacklisted systems and computer IDs and the ability to extract files from external databases.

Presence of a new yet unassigned command prompt, suggesting that additional updates may appear in the future.