UBoatRAT is a remote access trojan (RAT) first identified in May 2017 as a simple backdoor using a public blog service as its C2 server. The developer then released an updated version in June. Activity observed in September using that version targeted personnel and organizations related to South Korea or the video games industry, it distributes malware through Google Drive, obtains its C2 address from GitHub, and uses Microsoft Windows Background Intelligence Transfer Service (BITS) to maintain persistence.
The ZIP archive hosted on Google Drive contains the malicious executable file disguised as a folder or Microsoft Excel spreadsheet, while versions of UBoatRAT from July or later are disguised as a Microsoft Word file. When the file is executed, UBoatRAT checks for virtualization software, such as VMWare, VirtualBox, or QEmu, and obtains the domain name from the network parameters. If the RAT detects virtualization software or fails to obtain the domain name, it displays a fake error message and quits. If it does not detect virtualization software and is able to obtain the domain name, it copies itself as C:\programdata\svchost.exe, creates C:\programdata\init.bat and executes the bat file. A fake error message then displays and quits.
UBoatRAT uses BITS, a service for transferring files between machines, to maintain persistence by having the command-line tool bitsadmin.exe to execute protgrams when the job finishes transferring data or is in error. The RAT takes advantage of this option to continue running on the system, even after a reboot.
UBoatRAT uses a custom C2 protocol to communicate with the threat actor's server. Once a covert C2 channel is established, the RAT waits for commands. It can respond to the following commands:
- alive: checks if the RAT is operational
- online: maintains the RAT's online status by periodically sending packets to the C2
- upfile: uploads files to the compromised machine
- downfile: downloads files from the compromised machine
- exec: executes processes with UAC Bypass using Eventvwr.exe and Registry Hijacking
- start: starts CMD shell
- curl: downloads files from specified URL
- pslist: lists running processes
- pskill: terminates specified processes
- Palo Alto Networks provides technical analysis and Indicators of Compromise here.