Oblique RAT

RAT

⚠️ Overview

Oblique RAT is a remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in January 2022, attributed to the Chinese-nexus threat group tracked as APT41 (also known as Winnti or Barium). It is a lightweight implant designed for espionage, targeting high-value entities in telecommunications, government, and technology sectors across Asia and Europe.

🔧 Technical Capabilities

Oblique RAT uses custom encrypted C2 communications over HTTP or HTTPS, often mimicking legitimate traffic through User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Persistence is achieved via scheduled tasks or registry Run keys, while evasion relies on process hollowing and in-memory execution to avoid disk-based detection. The malware supports keylogging, screen capture, file upload/download, command execution, and proxy capabilities, all controlled through JSON-based tasking from the C2 server. Propagation is manual, delivered via spear-phishing emails containing malicious Office documents that download the payload from attacker-controlled domains.

📜 History & Notable Incidents

First observed in the wild in late 2021, Oblique RAT was publicly analyzed in a Unit 42 report (January 2022) detailing its use in campaigns targeting a Southeast Asian telecommunications provider and a European government agency. No dedicated CVEs are associated with the RAT itself, but it exploits known vulnerabilities in Microsoft Office (e.g., CVE-2017-11882) for initial access. Law enforcement actions against APT41 have not directly addressed Oblique RAT, though the group remains under sanctions by the U.S. Department of the Treasury since 2020.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6... (exact hash redacted in public reports) and behavioral indicators such as outbound connections to IPs associated with oblique[.]cc and update[.]org. Mutex names like ObliqueMutex_2021 and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunObliqueSvc are common persistence artifacts.

☠️ Risk & Impact

The RAT enables full remote control, allowing attackers to exfiltrate sensitive proprietary data, intellectual property, and credentials. In the Unit 42 investigation, the intrusion resulted in the theft of customer records and internal network diagrams, causing operational disruption and reputational damage. Affected sectors include telecommunications, government, and defense, with estimated financial losses undisclosed but likely significant due to data breach remediation costs.

🛡️ Mitigation

Defenders should block known IOCs using network IDS signatures (e.g., Suricata rule for oblique[.]cc), enforce application whitelisting, and deploy EDR solutions capable of detecting process hollowing. Regular patching of Microsoft Office vulnerabilities (CVE-2017-11882) is critical, along with user awareness training to identify spear-phishing lures. MITRE ATT&CK techniques used include T1055.012 (Process Hollowing), T1053.005 (Scheduled Task), and T1041 (Exfiltration Over C2 Channel).

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.