UBoatRAT

UBoatRAT is a new custom Remote Access Trojan (RAT) identified by Palo Alto Networks Unit 42, designed to exploit and damage computer systems. The malware has been observed in multiple variants delivered via Google Drive, often masquerading as Microsoft Word document files to deceive users into executing it. As of the time of writing, fourteen samples of UBoatRAT and one associated downloader have been identified. The latest versions were released in late July, with further updates seen in GitHub accounts in September and October. Upon execution, UBoatRAT checks for certain conditions on the compromised machine. It uses a custom command and control protocol to communicate with the attacker’s server, retrieving its command and control (C2) address from GitHub. The attacker hides the C2 address and destination port in a file hosted on GitHub, ensuring that the malware remains operational and difficult to trace. After completing the copying of the local file, the Background Intelligent Transfer Service (BITS) executes the UBoatRAT file configured at the third line. UBoatRAT employs sophisticated techniques to ensure its persistence on infected systems. It takes advantage of Microsoft Windows Background Intelligent Transfer Service (BITS) to stay running on a system even after a reboot. If certain conditions aren't met, UBoatRAT copies itself as C:\programdata\svchost.exe, creates C:\programdata\init.bat, and executes the bat file. AutoFocus users can track this malware using the UBoatRAT tag on the Palo Alto Networks platform.