Security News > 2021 > March > Hackers Now Hiding ObliqueRAT Payload in Images to Evade Detection
Cybercriminals are now deploying remote access Trojans under the guise of seemingly innocuous images hosted on infected websites, once again highlighting how threat actors quickly change tactics when their attack methods are discovered and exposed publicly.
While the ObliqueRAT modus operandi previously overlapped with another Transparent Tribe campaign in December 2019 to disseminate CrimsonRAT, the new wave of attacks differs in two crucial ways.
"Another instance of a maldoc uses a similar technique with the difference being that the payload hosted on the compromised website is a BMP image containing a ZIP file that contains ObliqueRAT payload," Talos researcher Asheer Malhotra said.
"The malicious macros are responsible for extracting the ZIP and subsequently the ObliqueRAT payload on the endpoint."
Regardless of the infection chain, the goal is to trick victims into opening emails containing the weaponized documents, which, once opened, direct victims to the ObliqueRAT payload via malicious URLs and ultimately export sensitive data from the target system.
"Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms."