bluebay2014 - Fotolia
Researchers at Palo Alto Networks Inc.'s Unit 42 discovered a new remote access Trojan called UBoatRAT that uses Google services and GitHub to spread. How does UBoatRAT abuse these services?
Command-and-control systems (C&C) are among the most important tools to maintain persistence in an attack.
As most attackers do not use AI for fully autonomous malware, they need some way to control the endpoints or upload data. This is typically done via a network connection back to a server that the attacker controls and that allows the server IP address to be embedded in the malware or looked up in an external source. A network connection like this is an indicator of compromise that many antimalware network devices use to detect and block the malware.
Early C&C connections used Internet Relay Chat (IRC) to carry C&C commands until enterprises responded by blocking IRC. As IRC and other common C&C channels were blocked, attackers realized they needed to use something enterprises couldn't or wouldn't block for their C&C channels, such as social media sites like Instagram and Twitter or cloud services like Google Docs or GitHub.
Palo Alto Networks' Unit 42 discovered a remote access Trojan called UBoatRAT that uses GitHub to initialize and store the IP address of its C&C server. The attacker hosts a file on GitHub with an encoded string in it that, when decoded by the UBoatRAT malware, includes the connection information for the C&C server using a custom protocol.
For a server or endpoint used in software development, a connection to GitHub wouldn't be suspicious; however, few users' devices or enterprise servers are used in software development, so any connection to GitHub might be worth investigating on those systems.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.