UBoatRAT

UBoatRAT is a remote access tool that was identified in May 2017.[1]

ID: S0333
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS Jobs

UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence.[1]

Enterprise T1059 Command-Line Interface

UBoatRAT can start a command shell.[1]

Enterprise T1043 Commonly Used Port

UBoatRAT uses ports 80 and 443 for C2 communications.[1]

Enterprise T1094 Custom Command and Control Protocol

UBoatRAT has used a custom command and control protocol to communicate with C2. The string ‘488’ is placed at the top of the payload and encrypts the entre buffer with a static key using a simple XOR cipher.[1]

Enterprise T1027 Obfuscated Files or Information

UBoatRAT encrypts instructions in the payload using a simple XOR cipher.[1]

Enterprise T1057 Process Discovery

UBoatRAT can list running processes on the system.[1]

Enterprise T1105 Remote File Copy

UBoatRAT can upload and download files to the victim’s machine.[1]

Enterprise T1071 Standard Application Layer Protocol

UBoatRAT has used HTTP for C2 communications.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.[1]

Enterprise T1102 Web Service

UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.[1]

References