ATT&CK v16 has been released! Check out the blog post for more information.

UBoatRAT

UBoatRAT is a remote access tool that was identified in May 2017.^[1]

ID: S0333

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 29 January 2019

Last Modified: 10 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	UBoatRAT has used HTTP for C2 communications.^[1]
Enterprise	T1197		BITS Jobs	UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	UBoatRAT can start a command shell.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	UBoatRAT encrypts instructions in its C2 network payloads using a simple XOR cipher.^[1]
Enterprise	T1105		Ingress Tool Transfer	UBoatRAT can upload and download files to the victim’s machine.^[1]
Enterprise	T1057		Process Discovery	UBoatRAT can list running processes on the system.^[1]
Enterprise	T1497	.001	Virtualization/Sandbox Evasion: System Checks	UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.^[1]
Enterprise	T1102	.002	Web Service: Bidirectional Communication	UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.^[1]

References

Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.