A custom remote access trojan (RAT) called UBoatRAT is taking aim at the video-game industry and South Korea.
It’s a new variant of the code, which was initially discovered in May of 2017 as a simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control (C2).
Now, according to Kaoru Hayashi, researcher at Palo Alto’s Unit 42, the developer has evolved UBoatRAT to distribute malware through Google Drive, while obtaining its C2 address from GitHub. A ZIP archive hosted on Google Drive contains a malicious executable file disguised as a folder, a Microsoft Excel spread sheet or Microsoft Word document files.
In looking at the file names themselves, it’s clear that UBoatRAT is focused on specific targets.
“We see Korean-language game titles, Korea-based game company names and some words used in the video games business on the list,” Hayashi said, in a blog. “Another reason is that UBoatRAT performs malicious activities on the compromised machine only when joining an Active Directory Domain. Most home user systems are not part of a domain, and as such would not be impacted the same way. The first three file names [associated with UBoatRAT deliveries] are written in Korean and only includes the general business topics. Last one contains unreleased game title, ‘Project W’ and the Korean-based video game company’s name.”
UBoatRAT achieves persistence by using Microsoft Windows Background Intelligent Transfer Service (BITS), which is a service for transferring files between machines, used by the Windows Update function. UBoatRAT takes advantage of BITS to ensure it stays running on a system, even after a reboot.
Though the latest version of UBoatRAT was released in September, Hayashi said he has seen multiple updates in the GitHub account since then.
“The author seems to be vigorously developing or testing the threat,” he said.