Q
Manage Learn to apply best practices and optimize your operations.

How does UBoatRAT use Google services and GitHub to spread?

A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can protect enterprises with Nick Lewis.

Researchers at Palo Alto Networks Inc.'s Unit 42 discovered a new remote access Trojan called UBoatRAT that uses...

Google services and GitHub to spread. How does UBoatRAT abuse these services?

Command-and-control systems (C&C) are among the most important tools to maintain persistence in an attack.

As most attackers do not use AI for fully autonomous malware, they need some way to control the endpoints or upload data. This is typically done via a network connection back to a server that the attacker controls and that allows the server IP address to be embedded in the malware or looked up in an external source. A network connection like this is an indicator of compromise that many antimalware network devices use to detect and block the malware.

Early C&C connections used Internet Relay Chat (IRC) to carry C&C commands until enterprises responded by blocking IRC. As IRC and other common C&C channels were blocked, attackers realized they needed to use something enterprises couldn't or wouldn't block for their C&C channels, such as social media sites like Instagram and Twitter or cloud services like Google Docs or GitHub.

Palo Alto Networks' Unit 42 discovered a remote access Trojan called UBoatRAT that uses GitHub to initialize and store the IP address of its C&C server. The attacker hosts a file on GitHub with an encoded string in it that, when decoded by the UBoatRAT malware, includes the connection information for the C&C server using a custom protocol.

For a server or endpoint used in software development, a connection to GitHub wouldn't be suspicious; however, few users' devices or enterprise servers are used in software development, so any connection to GitHub might be worth investigating on those systems.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in June 2018

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How has the use of command-and-control systems been detrimental to your organization?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close