Oblique RAT documents try to infect computers


Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

A new type of infected Word document is doing the rounds with the name ObliqueRAT with a few new tricks.

ObliqueRAT is similar to an earlier nasty CrimsonRAT but has a range of infection capabilities and is encrypted.

Password Protected

The infected Word documents usually arrive via email and are password protected.  Presumably the password is in the email.

Why password locked?  Encrypting the document makes it a lot harder for anti-virus/security system to analyse the contents.

.DOC file

Like most infected Word documents, they are the old .DOC file format.

It’s now ten years since .DOC etc was replaced by the safer .DOCX format.  That’s why we recommend not using or opening .doc files.

Why Old Office documents should be banned

Two of the known document names used by ObliqueRAT are:

    • Company-Terms.doc
    • DOT_JD_GM.doc

ObliqueRAT has some other peculiarities.  Certain login/user names and computer names will stop the virus from running.

oblique rat documents try to infect computers microsoft word 35189 - Oblique RAT documents try to infect computers

That’s probably to stop the virus running on the hackers own test machines.

The main virus program is contained in the infected .doc file.  It’s saved to the Public folder as another Word document then renamed to a .exe file and run on the computer.

The virus gathers up some system information then reports to a controlling computer.  That machine responds with instructions or additional programs to do next.

It also drops a Windows shortcut into the Startup folder to ensure the virus is run each time the computer starts.

If you’re interested in the gory details of an infected Word document, TalosIntelligence goes through it in considerable detail.

Word’s Melissa virus is 20 years old – what’s changed?

Make your own Word virus for $40

2019’s top software vulnerabilities featuring Microsoft Office

subs profile e1563205311409 - Oblique RAT documents try to infect computers
Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address