1. Home
  2. Software
  3. ObliqueRAT

ObliqueRAT

ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.[1][2]

ID: S0644
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 September 2021
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1025 从可移动介质获取数据

ObliqueRAT has the ability to extract data from removable devices connected to the endpoint.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.[1]
Enterprise T1120 外围设备发现

ObliqueRAT can discover pluggable/removable drives to extract files from.[1]
Enterprise T1113 屏幕捕获

ObliqueRAT can capture a screenshot of the current screen.[1]
Enterprise T1030 数据传输大小限制

ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.[1]
Enterprise T1083 文件和目录发现

ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.[1]
Enterprise T1027 .003 混淆文件或信息: Steganography

ObliqueRAT can hide its payload in BMP images hosted on compromised websites.[1]
Enterprise T1204 .001 用户执行: Malicious Link

ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.[1][2]
Enterprise T1082 系统信息发现

ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.[1]
Enterprise T1033 系统所有者/用户发现

ObliqueRAT can check for blocklisted usernames on infected endpoints.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.[1]
Enterprise T1125 视频捕获

ObliqueRAT can capture images from webcams on compromised hosts.[1]
Enterprise T1057 进程发现

ObliqueRAT can check for blocklisted process names on a compromised host.[1]

Groups That Use This Software

ID Name References
G0134 Transparent Tribe

[1][3]

References

  1. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  2. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
  1. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.