UBoatRAT

UBoatRAT is a remote access tool that was identified in May 2017.[1]

ID: S0333
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1197BITS JobsUBoatRAT takes advantage of the /SetNotifyCmdLine option in Bitsadmin.exe to ensure it stays running on a system to maintain persistence.[1]
EnterpriseT1059Command-Line InterfaceUBoatRAT can start a command shell.[1]
EnterpriseT1043Commonly Used PortUBoatRAT uses ports 80 and 443 for C2 communications.[1]
EnterpriseT1094Custom Command and Control ProtocolUBoatRAT has used a custom command and control protocol to communicate with C2. The string ‘488’ is placed at the top of the payload and encrypts the entre buffer with a static key using a simple XOR cipher.[1]
EnterpriseT1027Obfuscated Files or InformationUBoatRAT encrypts instructions in the payload using a simple XOR cipher.[1]
EnterpriseT1057Process DiscoveryUBoatRAT can list running processes on the system.[1]
EnterpriseT1105Remote File CopyUBoatRAT can upload and download files to the victim’s machine.[1]
EnterpriseT1071Standard Application Layer ProtocolUBoatRAT has used HTTP for C2 communications.[1]
EnterpriseT1497Virtualization/Sandbox EvasionUBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.[1]
EnterpriseT1102Web ServiceUBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.[1]

References