Security News > 2021 > March > Compromised Website Images Camouflage ObliqueRAT Malware

The ObliqueRAT malware is now cloaking its payloads as seemingly-innocent image files that are hidden on compromised websites.

"Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms."

The malicious macros consequently download the BMP files, and the ObliqueRAT payload is extracted to the disk.

One instance of a malicious document that researchers found "Uses a similar technique, with the difference being that the payload hosted on the compromised website is a BMP image containing a.ZIP file that contains ObliqueRAT payload," said Malhotra.

"The malicious macros are responsible for extracting the.ZIP and subsequently the ObliqueRAT payload on the endpoint."

During the course of their investigation, researchers also discovered three previously used but never-before-seen payloads for ObliqueRAT, which showed how the malware authors have made changes over time.

News URL

https://threatpost.com/website-images-obliquerat-malware/164395/