A new type of infected Word document is doing the rounds with the name ObliqueRAT with a few new tricks.
ObliqueRAT is similar to an earlier nasty CrimsonRAT but has a range of infection capabilities and is encrypted.
The infected Word documents usually arrive via email and are password protected. Presumably the password is in the email.
Why password locked? Encrypting the document makes it a lot harder for anti-virus/security system to analyse the contents.
Like most infected Word documents, they are the old .DOC file format.
It’s now ten years since .DOC etc was replaced by the safer .DOCX format. That’s why we recommend not using or opening .doc files.
Two of the known document names used by ObliqueRAT are:
ObliqueRAT has some other peculiarities. Certain login/user names and computer names will stop the virus from running.
That’s probably to stop the virus running on the hackers own test machines.
The main virus program is contained in the infected .doc file. It’s saved to the Public folder as another Word document then renamed to a .exe file and run on the computer.
The virus gathers up some system information then reports to a controlling computer. That machine responds with instructions or additional programs to do next.
It also drops a Windows shortcut into the Startup folder to ensure the virus is run each time the computer starts.
If you’re interested in the gory details of an infected Word document, TalosIntelligence goes through it in considerable detail.