A new remote access Trojan is known as UBoatRAT targets South Korean businesses, individuals, or the video game industry. However, targets are not completely clear yet and security researchers at Palo Alto Networks Unit 42 state that new variants of the UBoatRAT Trojan are increasing rapidly.
According to researchers, samples of UBoatRAT found in September were already adjusted, adopted innovative evasion techniques and methods to persistence on PCs.
Kaoru Hayaschi, cyber threat intelligence analyst at Palo Alto Networks Unit 42 provided a technical write-up of UBoatRat.
We don’t know the exact targets at the time of this writing. However, we theorize the targets are personnel or organizations related to Korea or the video games industry. We see Korean-language game titles, Korea-based game company names and some words used in the video games business on the list.
The Trojan was uncovered in May by Unit 42 and utilized simple HTTP backdoor. At the time, UBoatRAT also was connected to a C&C server through servers in Japan and China.
The Trojan was developed to adopt Google Drive as a distribution hub for malicious software and applies URLs that link to GitHub storage. In addition, the RAT influences Microsoft Windows Background Intelligent Transfer Service (BITS) in order to maintain persistence on systems.
What is more, competitors use BITS, which is a Microsoft server for transferring files, binary Bitsadmin.exe to launch and control BITS jobs. According to researchers, “The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot,”
In addition, researchers also revealed that UBoarRAT is distributed via URLs that connect files or Zip archives hosted on Google Drive.
The zip archive hosted on Google Drive contains the malicious executable file disguised as a folder or a Microsoft Excel spreadsheet. The latest variants of the UBoatRAT released in late July or later masquerade as Microsoft Word document files.
Once files are executed, the RAT tries to resolve if the system is from a corporate network or home device. UBoatRAT is also capable of detecting virtualization software.
The Trojan quits if host conditions do not meet the requirements.
Researchers also revealed that behind the malware stands the GitHub user name “elsa999”.
Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October. The author seems to be vigorously developing or testing the threat. We will continue to monitor this activity for updates.