SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

ObliqueRAT

ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.^[1]^[2]

ID: S0644

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 08 September 2021

Last Modified: 15 October 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.^[1]
Enterprise	T1025		Data from Removable Media	ObliqueRAT has the ability to extract data from removable devices connected to the endpoint.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.^[1]
Enterprise	T1030		Data Transfer Size Limits	ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.^[1]
Enterprise	T1083		File and Directory Discovery	ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.^[1]
Enterprise	T1027	.003	Obfuscated Files or Information: Steganography	ObliqueRAT can hide its payload in BMP images hosted on compromised websites.^[1]
Enterprise	T1120		Peripheral Device Discovery	ObliqueRAT can discover pluggable/removable drives to extract files from.^[1]
Enterprise	T1057		Process Discovery	ObliqueRAT can check for blocklisted process names on a compromised host.^[1]
Enterprise	T1113		Screen Capture	ObliqueRAT can capture a screenshot of the current screen.^[1]
Enterprise	T1082		System Information Discovery	ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.^[1]
Enterprise	T1033		System Owner/User Discovery	ObliqueRAT can check for blocklisted usernames on infected endpoints.^[1]
Enterprise	T1204	.001	User Execution: Malicious Link	ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.^[1]^[2]
Enterprise	T1125		Video Capture	ObliqueRAT can capture images from webcams on compromised hosts.^[1]
Enterprise	T1497	.001	Virtualization/Sandbox Evasion: System Checks	ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.^[1]

Groups That Use This Software

ID	Name	References
G0134	Transparent Tribe	^[1]

References

Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.

Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.