Register to stream ATT&CKcon 2.0 October 29-30


UBoatRAT is a remote access tool that was identified in May 2017.[1]

ID: S0333
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS Jobs UBoatRAT takes advantage of the /SetNotifyCmdLine option in Bitsadmin.exe to ensure it stays running on a system to maintain persistence. [1]
Enterprise T1059 Command-Line Interface UBoatRAT can start a command shell. [1]
Enterprise T1043 Commonly Used Port UBoatRAT uses ports 80 and 443 for C2 communications. [1]
Enterprise T1094 Custom Command and Control Protocol UBoatRAT has used a custom command and control protocol to communicate with C2. The string ‘488’ is placed at the top of the payload and encrypts the entre buffer with a static key using a simple XOR cipher. [1]
Enterprise T1027 Obfuscated Files or Information UBoatRAT encrypts instructions in the payload using a simple XOR cipher. [1]
Enterprise T1057 Process Discovery UBoatRAT can list running processes on the system. [1]
Enterprise T1105 Remote File Copy UBoatRAT can upload and download files to the victim’s machine. [1]
Enterprise T1071 Standard Application Layer Protocol UBoatRAT has used HTTP for C2 communications. [1]
Enterprise T1497 Virtualization/Sandbox Evasion UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine. [1]
Enterprise T1102 Web Service UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications. [1]