Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1197 | BITS Jobs |
UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence.[1] |
|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1105 | Ingress Tool Transfer |
UBoatRAT can upload and download files to the victim’s machine.[1] |
|
Enterprise | T1027 | Obfuscated Files or Information |
UBoatRAT encrypts instructions in the payload using a simple XOR cipher.[1] |
|
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.[1] |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.[1] |