New RAT Trochilus Skilled at Espionage, Evading Detection

Researchers have uncovered a new RAT that can evade sandbox analysis, is adept at carrying out espionage, and is being used in targeted threat operations.

Researchers have uncovered a new remote access Trojan (RAT) that can evade sandbox analysis, is adept at carrying out espionage, and is being used in targeted threat operations.

Named Trochilus, the malware is part of a multi-pronged malware operation that researchers at Arbor Networks are calling the Seven Pointed Dagger (.PDF). The cluster also includes malware such as PlugX, the 9002 RAT (3102 variant), and EvilGrab, to name a few, and is the prime toolset of a group of attackers dubbed by researchers with Cisco’s Talos Group as “Group 27.”

Researchers with the firm’s Security Engineering & Response Team found early instances of the group’s work, namely PlugX last summer, but stumbled upon new malware, including Trochilus, in October. Like last summer’s malware, the latest malware was found on a site related to a 2015 election in the Southeast Asian country Myanmar.

The malware doesn’t leave much of a trace, and is skilled at evading detection, according to a report on the operation published Monday.

“This malware … appears to run only in memory and does not leave a footprint on the disk, except in the form of encoded files that do not execute by themselves and are resistant to static file malware detection processes and static analysis,” the report reads.

The RAT’s readme file details the malware’s capabilities in full, including functionality such as a shellcode extension, remote uninstall, a file manager, download and execute, and upload and execute. Officials with Arbor Networks said the malware has “the means to move laterally within targets in order to achieve more strategic access,” as well.

The attacks plagued the Myanmar Union Election Commission’s (UEC) website and largely stemmed from a general election held by the country last November, the nation’s first since a new government was enacted in 2011.

While the Myanmar is two months removed from the election, the country is still in the midst of a political transition, part of the reason why officials at Arbor Networks warn individuals there to remain alert when it comes to any suspicious-looking emails. Trochilus, and other strains of malware in the cluster are primarily spread via attachments, such .RAR files, and any politically leaning organizations, especially those connected to Myanmar’s United Nations Development Programme (UNDP) will likely continue to be a target, the researchers warn.

The news piggybacks on a similar Citizen Lab report from last year that covered several of the aforementioned strains of malware. PlugX was sent – bundled in .zip files – through a series of spearphishing attacks to an unnamed environmental NGO working on issues in Southeast Asia. Both attacks shared common features, like the presence of PlugX. Both campaigns also took aim at groups in the Tibetan diaspora, leading experts to believe they’re connected.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.