Researchers at Palo Alto Networks Inc.'s Unit 42 discovered a new remote access Trojan called UBoatRAT that uses...
Google services and GitHub to spread. How does UBoatRAT abuse these services?
Command-and-control systems (C&C) are among the most important tools to maintain persistence in an attack.
As most attackers do not use AI for fully autonomous malware, they need some way to control the endpoints or upload data. This is typically done via a network connection back to a server that the attacker controls and that allows the server IP address to be embedded in the malware or looked up in an external source. A network connection like this is an indicator of compromise that many antimalware network devices use to detect and block the malware.
Early C&C connections used Internet Relay Chat (IRC) to carry C&C commands until enterprises responded by blocking IRC. As IRC and other common C&C channels were blocked, attackers realized they needed to use something enterprises couldn't or wouldn't block for their C&C channels, such as social media sites like Instagram and Twitter or cloud services like Google Docs or GitHub.
Palo Alto Networks' Unit 42 discovered a remote access Trojan called UBoatRAT that uses GitHub to initialize and store the IP address of its C&C server. The attacker hosts a file on GitHub with an encoded string in it that, when decoded by the UBoatRAT malware, includes the connection information for the C&C server using a custom protocol.
For a server or endpoint used in software development, a connection to GitHub wouldn't be suspicious; however, few users' devices or enterprise servers are used in software development, so any connection to GitHub might be worth investigating on those systems.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
After a fake WhatsApp app was discovered in the Google Play Store, users are questioning what can be done to avoid counterfeit apps. Learn several ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.