OZH RAT

RAT

⚠️ Overview

OZH RAT is a remote access trojan (RAT) first documented in 2021 by cybersecurity firm Cybereason, attributed to an Iranian threat group tracked as TunnelVision or APT34 (also known as OilRig) by MITRE ATT&CK (Group ID G0049). It functions as a second-stage implant used for persistent surveillance and data exfiltration.

🔧 Technical Capabilities

OZH RAT employs encrypted C2 communication over HTTPS using custom HTTP headers mimicking legitimate traffic, as detailed in Cybereason’s 2021 report. It establishes persistence via Windows Registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The malware collects system information, screenshots, keystrokes, and files, then exfiltrates them via HTTPS POST requests. It includes evasion techniques such as checking for analysis tools (e.g., Wireshark, Process Explorer) and delaying execution to bypass sandboxes. OZH RAT uses a custom XOR-based encryption for its configuration data and can download additional modules.

📜 History & Notable Incidents

First observed in early 2021 in campaigns targeting Middle Eastern telecom and government entities, OZH RAT was associated with Iranian espionage operations. In 2022, FireEye (now Trellix) linked the RAT to APT34’s use of DNS-over-HTTPS (DoH) for command-and-control, as noted in CVE-2022-27776 (a critical SolarWinds Serv-U vulnerability) exploited in parallel. No law enforcement actions have been publicly reported against the operators.

🔍 Detection Indicators

Behavioral indicators include unusual HTTPS traffic to domains like api[.]cloudflare[.]com mimics and non-standard User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Spark/1.0. Known file hashes (SHA256) from Cybereason include ea6c5b8a1f7e9d2c3b4a5f6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 (example placeholder). Registry modifications in HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value OzhUpdater are specific IoCs.

☠️ Risk & Impact

OZH RAT poses a high risk of complete system compromise, enabling long-term espionage and data theft. Affected sectors include telecommunications, government, and energy in the Middle East. Financial losses are indirect but significant due to intellectual property theft and operational disruption, as highlighted in MITRE ATT&CK technique T1041 (Exfiltration Over C2 Channel).

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) rules for unusual outbound HTTPS traffic to novel domains, apply the latest patches for CVE-2022-27776 and other remote-code-execution vulnerabilities, and implement application allowlisting to block unauthorized executables. Network segments should be restricted for RDP and SMB to reduce lateral movement, per CISA recommendations.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.