Story image

UBoat Remote Access Trojan targeting Korean businesses

05 Dec 17

A new custom Remote Access Trojan (RAT) is making its way around various countries in Southeast Asia and may be going after Korean targets.

The UBoatRAT popped up in May 2017 was just a simple backdoor hosted by a compromised Hong Kong public blog service and Japan-hosted web server.

However, the developer has been busy adding new features to the RAT, according to Unit 42 researcher Kaoru Hayashi.

The improved version spotted in September features malware distribution through Google Drive, command and control address fetching from GitHub and it uses Microsoft Windows Background Intelligent Transfer Service (BITS) to keep running in the background.

While Hayashi suspects that the RAT is targeting people or organisations related to South Korea, and those in the video game industry, Unit 42 has not been able to pin down the exact targets.

“One of the reasons for the hypothesis is the file names used by the attacker when delivering the malware. We see Korean-language game titles, Korea-based game company names and some words used in the video games business on the list,” Hayashi explains in a Unit 42 blog.

Hayashi also says that the UBoatRAT can only conduct its activities on a compromised machine on an Active Directory domain – common amongst organisations but not home computers.

Hayashi further suspects targeting against the video games industry as one of the four malicious filenames includes an ‘unreleased game title’ and a Korean-based videogame company’s name.

All three malicious files appear to be delivered from Google Drive. The other three malicious files include documents that appear to be an annual salary rise inquiry and annual salary raise feedback; and a resume for a job application.

When a victim opens the file, the UBoatRAT is able to detect any software virtualization platform such as VMware, and it grabs a domain name from network parameters.

Hayashi elaborates on Microsoft Windows BITS and explains that BITS is a file transfer service for machines.

“Though the most famous application using the service is Windows Update, other applications or users can take advantage of the component. Bitsadmin.exe is a command-line tool user can create and monitor BITS jobs. The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot.”

Hayashi says that there are at least 14 samples of the UBoatRAT and one downloader associated with it at time of writing (late November 2017).

Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October. The author seems to be vigorously developing or testing the threat.

Palo Alto Networks and Unit 42 will continue to monitor the UBoatRAT for updates.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.