Security researchers have discovered a new campaign using a new remote access trojan named tRat by threat actor group TA505.
TA505 threat actor group is behind the Dridex campaigns in 2014 and Locky campaigns in 2016 and 2017.
The new campaign was discovered security researchers at Proofpoint and said that tRat is a modular RAT written in Delphi.
On September 27, 2018, researchers discovered an email campaign in which the word document used the macros to download an undocumented RAT.
The document abused Norton brand by adding pictures and keeping subject lines stating “I have securely shared file(s) with you.”
At that time the researcher was not able to recognize the threat actor group behind the attack. Researchers were able to confirm it was threat actor group TA505 in another campaign discovered distributing tRAT in October.
In this campaign, attackers used both Microsoft Word and Microsoft Publisher to spread the malware. The campaign was observed targeting user at commercial banks.
In the case of Microsoft Publisher documents, the email appears to be from “Invoicing”, with various sending addresses and keeping subject lines as “Invoice (sic) [random digits] – [random digits]” and had attachments with names such as “inv-399503-03948.pub”.
In Microsoft Word attachments containing emails it appears to be from “Vanessa Brito” with various actual sending addresses and keeping subject lines as “Call Notification – [random digits] – [random digits] and Attachments were named “Report.doc”.
The tRAT achieve persistence by copying the binary to a directory in the AppData folder. After that, it creates a LNK file in the Startup directory which executes everytime the system starts.
The tRAT stores most important string as encrypted and hex-encoded. It uses TCP port 80 for command and control (C&C) communications. All the connection are encrypted and data is transmitted in hex-encoded.
“However, we observe these new strains carefully as they have also adopted new malware like Locky or less widely distributed malware like FlawedAmmyy at scale following similar tests. Moreover, their adoption of RATs this year mirrors a broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors.” said in the analysis published by Proofpoint researchers.
For more details, you can visit the analysis published by Proofpoint researchers here.
You may be interested in reading:Cathay Pacific Airline Announces Data Breach Affecting 9.4 million Passengers