UBoatRAT

UBoatRAT is a remote access tool that was identified in May 2017.[1]

ID: S0333
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 January 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

UBoatRAT has used HTTP for C2 communications.[1]

Enterprise T1197 BITS Jobs

UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

UBoatRAT can start a command shell.[1]

Enterprise T1105 Ingress Tool Transfer

UBoatRAT can upload and download files to the victim’s machine.[1]

Enterprise T1027 Obfuscated Files or Information

UBoatRAT encrypts instructions in the payload using a simple XOR cipher.[1]

Enterprise T1057 Process Discovery

UBoatRAT can list running processes on the system.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.[1]

References