ObliqueRAT Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (546)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en518
es10
it8
fr6
pl2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us510
ru28
cn8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

ObliqueRAT2
Conti2
Fodcha2
RedLine Stealer2
Wizard Spider1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Firewall Software18
Content Management System12
Not Defined8
Web Server4
Groupware Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined22
Naviwebs4
Squid4
Apache4
Microsoft4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Naviwebs Navigate CMS4
Apache HTTP Server4
Drupal4
jc21 Nginx Proxy Manager2
CNCF Envoy2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Apache HTTP Server mod_proxy_balancer.c balancer_handler cross site scripting4.34.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.217820.00CVE-2012-4558
2Google Android Proxy Auto-Config ic.cc UpdateLoadElement out-of-bounds write8.58.2$25k-$100k$5k-$25kNot DefinedOfficial Fix0.001020.00CVE-2019-2047
3Telegram Desktop Proxy credentials management8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.002190.00CVE-2018-17613
4https-proxy-agent JSON memory corruption7.26.9$0-$5k$0-$5kNot DefinedOfficial Fix0.006590.03CVE-2018-3739
5Apache HTTP Server mod_proxy_fcgi.c handle_headers memory corruption5.35.1$25k-$100k$0-$5kNot DefinedOfficial Fix0.009530.00CVE-2014-3583
6Apple iOS Proxy Authentication 7pk security6.66.4$100k and more$5k-$25kNot DefinedOfficial Fix0.001820.04CVE-2016-4642
7YoungZSoft CCProxy Proxy Service memory corruption7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.114870.00CVE-2004-2685
8CNCF Envoy Proxy resource consumption6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.003410.04CVE-2020-8659
9Blue Coat ProxySG SGOS information disclosure5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.001390.02CVE-2015-4334
10Juniper WLC Proxy ARP/No Broadcast Feature input validation5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.007120.00CVE-2014-6381
11Symantec ASG/ProxySG FTP Proxy WebFTP Mode Stored cross site scripting5.75.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.001150.00CVE-2018-18370
12Palo Alto PAN-OS DNS Proxy input validation8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.067160.03CVE-2017-8390
13QNAP Proxy Server Setting improper authentication6.36.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000700.00CVE-2017-7639
14Squid Web Proxy cachemgr.cgi injection6.15.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.002670.04CVE-2019-18860
15Bluecoat SGOS Management Console cross site scripting4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.002650.00CVE-2010-5192
16Artica Proxy fw.progrss.details.php path traversal7.47.1$0-$5k$0-$5kNot DefinedOfficial Fix0.967910.00CVE-2020-13158
17Artica Proxy settings.inc command injection4.94.9$0-$5k$0-$5kNot DefinedNot Defined0.002500.02CVE-2019-7300
18Sarg Squid Analysis Report Generator Proxy Server useragent.c useragent memory corruption10.09.0$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.445600.00CVE-2008-1167
19Google Android Proxy Configuration hydrogen-alias-analysis.h HAliasAnalyzer.Query type conversion8.58.2$25k-$100k$5k-$25kNot DefinedOfficial Fix0.001020.04CVE-2019-2097
20Check point Firewall-1/VPN-1 IKE Aggressive Mode missing encryption5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.004090.05CVE-2002-1623

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1185.117.73.222ObliqueRAT03/31/2022verifiedHigh
2XXX.XXX.XX.XXXXxxxxxxxxx08/10/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (13)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
8TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-157CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (33)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/assets/php/upload.phppredictiveHigh
2Fileadmin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/listpredictiveHigh
3Filecachemgr.cgipredictiveMedium
4Filecgi-bin/cmh/webcam.shpredictiveHigh
5Filexxxxxx.xpredictiveMedium
6Filexx.xxxxxxx.xxxxxxx.xxxpredictiveHigh
7Filexxxxxxxx-xxxxx-xxxxxxxx.xpredictiveHigh
8Filexx.xxpredictiveLow
9Filexxxxxx.xxxpredictiveMedium
10Filexxxxx.xxxpredictiveMedium
11Filexxxxxx.xpredictiveMedium
12Filexxxxx.xxxpredictiveMedium
13Filexxx_xxxxx_xxxxxxxx.xpredictiveHigh
14Filexxx_xxxxx_xxxx.xpredictiveHigh
15Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
16Filexxxxxxxxxx/xxxxxxxx.xxxpredictiveHigh
17Filexxxxxxxxx.xpredictiveMedium
18Filexxxxx/xxxxx.xxpredictiveHigh
19Filexxxxxxxxxxxxx.xxxxpredictiveHigh
20Libraryxxxxxxxxx/xxxxxx_xxxxxxxxxxx.xxx.xxxpredictiveHigh
21ArgumentxxxxpredictiveLow
22ArgumentxxxxxxxxxxxxxpredictiveHigh
23ArgumentxxxxxxxxxxxxpredictiveMedium
24ArgumentxxxxxxxxpredictiveMedium
25Argumentxx_xxxxxxxxpredictiveMedium
26ArgumentxxxxxxxxxpredictiveMedium
27Argumentxxxx_xxxxx/xxxx_xxxxxxxxpredictiveHigh
28Argumentxxxxxxx.xxx_xxxxxxxxxxpredictiveHigh
29ArgumentxxxxxpredictiveLow
30ArgumentxxxpredictiveLow
31ArgumentxxxxxxxxpredictiveMedium
32Argumentxxxx xxxxpredictiveMedium
33Input Value%xx%xx%xxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!