How does UBoatRAT use Google services and GitHub to spread?

Researchers at Palo Alto Networks Inc.'s Unit 42 discovered a new remote access Trojan called UBoatRAT that uses Google services and GitHub to spread. How does UBoatRAT abuse these services?

Command-and-control systems (C&C) are among the most important tools to maintain persistence in an attack.

As most attackers do not use AI for fully autonomous malware, they need some way to control the endpoints or upload data. This is typically done via a network connection back to a server that the attacker controls and that allows the server IP address to be embedded in the malware or looked up in an external source. A network connection like this is an indicator of compromise that many antimalware network devices use to detect and block the malware.

Early C&C connections used Internet Relay Chat (IRC) to carry C&C commands until enterprises responded by blocking IRC. As IRC and other common C&C channels were blocked, attackers realized they needed to use something enterprises couldn't or wouldn't block for their C&C channels, such as social media sites like Instagram and Twitter or cloud services like Google Docs or GitHub.

Palo Alto Networks' Unit 42 discovered a remote access Trojan called UBoatRAT that uses GitHub to initialize and store the IP address of its C&C server. The attacker hosts a file on GitHub with an encoded string in it that, when decoded by the UBoatRAT malware, includes the connection information for the C&C server using a custom protocol.

For a server or endpoint used in software development, a connection to GitHub wouldn't be suspicious; however, few users' devices or enterprise servers are used in software development, so any connection to GitHub might be worth investigating on those systems.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)