Researchers said that they are tracking a new remote access Trojan dubbed UBoatRAT that is targeting individuals or organizations linked to South Korea or the video game industry.
While targets aren’t 100 percent clear, researchers at Palo Alto Networks Unit 42 said UBoatRAT threats are evolving and new variants are increasingly growing more sophisticated. They said recent samples found in September have adopted new evasion techniques and novel ways to maintain persistence on PCs.
“We don’t know the exact targets at the time of this writing. However, we theorize the targets are personnel or organizations related to Korea or the video games industry,” wrote Kaoru Hayashi, cyber threat intelligence analyst at Palo Alto Networks in a technical write-up of Unit 42’s research published this week. “We see Korean-language game titles, Korea-based game company names and some words used in the video games business on the list.”
UBoatRAT was first identified by Unit 42 in May 2017. At the time, UBoatRAT utilized a simple HTTP backdoor and connected to a command-and-control server via a public blog service in Hong Kong and a compromised web server in Japan. By September, the RAT evolved to adopt Google Drive as a distribution hub for malware and uses URLs that connect to GitHub repositories that act as a C2. UBoatRAT also leverages Microsoft Windows Background Intelligent Transfer Service (BITS) to maintain persistence on targeted systems.
BITS is a Microsoft service for transferring files between machines. BITS is most widely known for its use by Windows Update and third-party software for application updates. The service has a long history of being abused by attackers dating back to 2007. And even up until today, BITS is still an attractive feature for hackers because the Windows component includes the ability to retrieve or upload files using an application trusted by host firewalls. Last year, researchers identified hackers who used a BITS “notification” feature to deliver malware and maintain system persistence.
With UBoatRAT, adversaries are using the BITS binary Bitsadmin.exe as a command-line tool to create and monitor BITS jobs, researchers said. “The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot,” they said.
According to researchers, UBoatRAT is being delivered to targets via URLs that link to executable files or Zip archives hosted on Google Drive. “The zip archive hosted on Google Drive contains the malicious executable file disguised as a folder or a Microsoft Excel spread sheet. The latest variants of the UBoatRAT released in late July or later masquerade as Microsoft Word document files,” researchers said.
If files are executed, UBoatRAT attempts to determine if the targeted system is part of a larger corporate network or a home PC by checking if the machine is part of an Active Directory Domain, typically used by business PCs. The malware is also programmed to detect virtualization software (VMWare, VirtualBox or QEmu) that would indicate a research environment.
If ideal host conditions aren’t met various fake Windows system error messages are generated and the UBoatRAT executable quits.
Communication with the command-and-control server is performed via a hidden C2 address in the RAT, researchers said.
“The attacker behind the UBoatRAT hides the C2 address and the destination port in a file hosted on Github… After establishing a covert channel with C2, the threat waits following backdoor commands from the attacker,” researcher wrote.
Some commands include “Checks if whether the RAT is alive”, “Starts CMD shell” and “Uploads file to compromised machine”.
The malware gets its name from the name from the way it decodes the characters in the GitHub URL.
“The malware accesses the URL and decodes the characters between the string ‘[Rudeltaktik]’ and character ‘!’ using BASE64. ‘Rudeltaktik’ is the German military term which describes the strategy of the submarine warfare during the World War II,” researchers said.
Since June, the GitHub “uuu” repository the C2 links to has been deleted and replaced by “uj”, “hhh” and “enm”, according to researcher Hayashi. The GitHub user name behind the repository is “elsa999”.
“Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October. The author seems to be vigorously developing or testing the threat. We will continue to monitor this activity for updates,” Hayashi said.