From 695d580d3cdc80652efff16f292fa5ee0d49ba15 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 29 Nov 2017 10:09:39 +0100
Subject: [PATCH] add UBoatRAT

---
 clusters/rat.json | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/clusters/rat.json b/clusters/rat.json
index b04706c..5e30a3a 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -2151,6 +2151,15 @@
           "https://www.us-cert.gov/ncas/alerts/TA17-318A"
         ]
       }
+    },
+    {
+      "description": "Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon added various new features to the code and released an updated version in June. The attacks with the latest variants we found in September have following characteristics.\nTargets personnel or organizations related to South Korea or video games industry\nDistributes malware through Google Drive\nObtains C2 address from GitHub\nUses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.",
+      "value": "UBoatRAT",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
+        ]
+      }
     }
   ]
 }