UBoatRAT targets firms in East Asia
UBoatRAT targets firms in East Asia

According to a blog post by security researchers at Palo Alto Networks, the custom RAT, called UBoatRAT, is targeting video games companies and staff in South Korea.

Kaoru Hayashi, cyber-threat intelligence analyst for Unit 42 at Palo Alto Networks said that the initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control.

However, this latest variant is distributed via Google Drive, obtains the address of the command and control (C&C) server from GitHub and uses Microsoft Windows Background Intelligent Transfer Service (BITS) to maintain persistence.

He said that it was the company's theory that targets of the malware are related to Korea or the video games industry.

“One of the reasons for the hypothesis is the file names used by the attacker when delivering the malware. We see Korean-language game titles, Korea-based game company names and some words used in the video games business on the list,” said Hayashi.

He added that the UBoatRAT performs malicious activities on the compromised machine only when joining an Active Directory Domain. “Most home user systems are not part of a domain, and as such would not be impacted the same way.”

Hackers distributed the RAT through a ZIP archive on Google Drive and containing a malicious executable file disguised as a folder or a Microsoft Excel spreadsheet. The latest variants of the UBoatRAT are disguised as Microsoft Word document files.

The malware stops execution when detects a virtualization software such as VMWare, VirtualBox, QEmu, when executed it attempts to obtain the Domain Name from network parameters. If it fails to get the domain name, it displays a fake error message and quits.

If it passes this, the malware copies itself as C:\programdata\svchost.exe, and creates and executes C:\programdata\init.bat, then it displays a specific message and quits.

Researchers said that the RAT uses Microsoft Windows Background Intelligent Transfer Service (BITS), a service for transferring files between machines, to maintain the persistence.

“Bitsadmin.exe is a command-line tool user can create and monitor BITS jobs. The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot,” said Hayashi.

Once a C7C channel is set up, the malware waits following backdoor commands from the attacker.

The malware gets its name from how it decodes characters in the GitHub URL.

“The malware accesses the URL and decodes the characters between the string “[Rudeltaktik]” and character “!” using BASE64. “Rudeltaktik” is the German military term which describes the strategy of the submarine warfare during the World War II,” said the researcher.

“Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October,” he added. “The author seems to be vigorously developing or testing the threat. We will continue to monitor this activity for updates.”

Chris Doman, security researcher at AlienVault, told SC Media UK that the distribution of UBoatRat is fairly limited so it's unlikely users will encounter it outside of Korea.

“It's a fairly classic remote administration tool, that performs command and control over fake websites to make it harder to detect as it communicates over the network,” he said.

Adam Govier, principal cybersecurity consultant at SureCloud, told SC Media UK that as with any bespoke malware a singular point of defence is not always sufficient in preventing these types of infections, and a mature security policy would incorporate multiple layers as a basis for this.

“One of these layers would involve the operation of a strongly configured content-filter solution, aiming to prevent certain filetypes or suspicious domains from being permitted to send emails to mailboxes or forwarding addresses within an organisation,” he said.

“Along with this next-generation antivirus installed on workstations and servers should ideally be able to detect this sort of malware through common signatures within the antivirus engine. Where a signature has not been known to the vendor before the distribution of the RAT the AV solution should ideally incorporate heuristic detection with sandboxing to determine the execution behaviour of the malware.”