It’s been called UBoatRAT and Google Drive links are its primary source of distribution. The RAT's "Command and Control Centre" (C&C) comes from GitHub, and to maintain persistence, it uses "Background Intelligent Transfer Service" (BITS) by Microsoft Windows.
The malware was first seen in May 2017, back then it used a simple HTTP backdoor through a compromised web server in Japan and a public blog service in Hong Kong for Control and Command Centre. Since then, the developers added many new features to the malware and released the updated versions in summer. The attacks were analyzed in September.
While the accurate count isn't clear yet, Palo Alto Networks thinks they might be related to Korea or the video games industry, because of the Korean-language in game titles, Korea-based game company names, and few of the words used in the video game industry were used for delivery.
The researchers say UBoatRAT would not have an impact on the home users since they are not part of a domain as it has been specifically designed to compromise machines on an Active Directory Domain.
The recent investigation shows that this malware is distributed by a ZIP file hosted on Google Drive, containing a malicious executable file. This zip is disguised as a folder or a Microsoft Excel spreadsheet. The latest variants of the malware appear as a Microsoft Word document.
After successfully evading the firewall of a system, the malware checks for virtualization tools, i.e., VirtualBox, VMWare, QEmu, and then gain the Domain Name from network parameters. If it recognizes a virtual machine or fails to get the domain name, it then quits displaying a fake error message.
Or else, UBoatRAT copies its files to C:\programdata\svchost.exe, and creates and executes it C:\programdata\init.bat, after doing which it displays a particular message and quits.
The malware utilizes the Microsoft Windows Background Intelligent Transfer Service (BITS) – an administration for exchanging records between machines – for steadiness. BITS jobs can be made and observed using the Bitsadmin.exe command-line tool, which offers a choice to execute a program when the activity completes the process of exchanging information or is in blunder, and UBoatRAT utilizes this alternative to keep running on the system even after the reboot.
The C&C address and the goal port are covered up in a document facilitated on GitHub, and the malware gets to the file utilizing a particular URL. A custom C&C protocol is used for communicating with the attacker’s server.
Backdoor commands obtained from the attacker include: alive (inspects if the RAT is alive), online (holds the RAT online), upfile (uploads file to infected machine), curl (downloads file from specified URL), downfile (downloads file from infected machine), exec (executes process with UAC Bypass using Eventvwr.exe and Registry Hijacking), start (begins CMD shell), curl (downloads file from specified URL), pskill (ends determined process) and pslist (lists running processes).
Palo Alto analysts have recognized fourteen patterns of UBoatRAT, and in addition, one downloader related to the attacks. The specialists likewise connected the malware with the GitHub account 'elsa999' and discovered that the creator had been much of the time refreshing stores since July.
"Despite the fact that the most recent form of UBoatRAT was discharged in September, we have seen various updates in elsa999 accounts on GitHub in October. The creator is by all accounts vigorously planning and testing the danger. We will keep on monitoring this action for updates," Palo Alto finishes up.
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads in the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs. So, avoid clicking uncertain sites, software offers, pop-ups etc.
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update. By doing this you can keep your device free from virus. According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection. Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like McAfee or a good Malware Removal Tool like Download Free Virus RemovalTool
- Install a powerful ad- blocker for Chrome, Mozilla,and IE.
