bluebay2014 - Fotolia
Researchers at Palo Alto Networks Inc.'s Unit 42 discovered a new remote access Trojan called UBoatRAT that uses Google services and GitHub to spread. How does UBoatRAT abuse these services?
Command-and-control systems (C&C) are among the most important tools to maintain persistence in an attack.
As most attackers do not use AI for fully autonomous malware, they need some way to control the endpoints or upload data. This is typically done via a network connection back to a server that the attacker controls and that allows the server IP address to be embedded in the malware or looked up in an external source. A network connection like this is an indicator of compromise that many antimalware network devices use to detect and block the malware.
Early C&C connections used Internet Relay Chat (IRC) to carry C&C commands until enterprises responded by blocking IRC. As IRC and other common C&C channels were blocked, attackers realized they needed to use something enterprises couldn't or wouldn't block for their C&C channels, such as social media sites like Instagram and Twitter or cloud services like Google Docs or GitHub.
Palo Alto Networks' Unit 42 discovered a remote access Trojan called UBoatRAT that uses GitHub to initialize and store the IP address of its C&C server. The attacker hosts a file on GitHub with an encoded string in it that, when decoded by the UBoatRAT malware, includes the connection information for the C&C server using a custom protocol.
For a server or endpoint used in software development, a connection to GitHub wouldn't be suspicious; however, few users' devices or enterprise servers are used in software development, so any connection to GitHub might be worth investigating on those systems.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Several vulnerabilities were found in Western Digital's My Cloud, including one that affects the default hardcoded password. Learn how to avoid such ... Continue Reading
Malicious files posing as legitimate ionCube files were recently found by WordPress and Joomla admins. Learn how the ionCube malware works with ... Continue Reading
Ploutus.D malware recently started popping up in the U.S. after several ATM jackpotting attacks. Discover how this is possible and what banks can do ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.