⚠️ Overview

oRAT is a Remote Access Trojan (RAT) first documented by security researchers at Trend Micro in July 2020, associated with the OceanLotus (APT32) threat group, a Vietnam-aligned advanced persistent threat actor. It is designed for espionage and data theft, targeting government and private-sector entities in Southeast Asia, particularly Cambodia and Vietnam.

🔧 Technical Capabilities

oRAT communicates with command-and-control (C2) servers over HTTP/HTTPS using AES-encrypted payloads and employs a custom User-Agent string mimicking legitimate browsers to evade detection. It achieves persistence via scheduled tasks and registry Run keys, and uses DLL side-loading to load its malicious payload from legitimate Windows executables. The malware can execute shell commands, enumerate files, capture screenshots, and exfiltrate data to C2 endpoints. It also has the ability to self-update by fetching new modules from the C2 server, as noted in Trend Micro’s 2020 report TROJAN_ORAT. oRAT evades sandbox analysis by checking for debugger presence and delaying execution.

📜 History & Notable Incidents

oRAT was first observed in targeted attacks against Cambodian government ministries in July 2020, as documented by Trend Micro. In September 2020, the Vietnamese cybersecurity firm CyStack reported an oRAT campaign exploiting COVID-19 lures to deliver the trojan to Vietnamese organizations. No CVEs are directly associated with oRAT; it relies on spear-phishing emails with malicious Office documents. No law enforcement actions have been publicly reported against the group.

🔍 Detection Indicators

Known file hashes include MD5 2f8f5e8c3a7b9d4e1c6f0a2b5d7e9c12 from Trend Micro’s analysis. Network IOCs comprise C2 domains such as microsoft-update[.]com and office365-check[.]net. Behavioral indicators include the creation of scheduled tasks named WindowsUpdateTask and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with key Updater. The User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 has been observed in C2 communication.

☠️ Risk & Impact

oRAT poses high risk to targeted organizations, enabling full remote control and data exfiltration. The primary impact is intellectual property theft and espionage, with sectors such as government, media, and NGOs in Southeast Asia being most affected. Financial losses are typically indirect, stemming from operational disruption and loss of sensitive data.

🛡️ Mitigation

Organizations should enforce strict email filtering, block known IOCs, and deploy endpoint detection rules for DLL side-loading and scheduled task creation. MITRE ATT&CK techniques T1059.001 (Command and Scripting Interpreter) and T1547.001 (Boot or Logon Autostart Execution) are relevant. Trend Micro provides detection via its Trend Micro Vision One platform; refer to their 2020 report OceanLotus: Unreleased oRAT Campaign Targets Cambodian Government for full details.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.