A new modular malware written in Delphi dubbed tRat has scurried into the spotlight, after making its debut in large spam campaigns this fall.
The remote-access trojan has yet to show all of its cards to researchers, and seems to be in a testing phase, but the fact that well-known APT group TA505 is the one using it makes it bear watching, according to researchers.
Proofpoint researchers first spotted tRat being used in a pair of spam campaigns launched in September and October. The first campaign trod the well-worn path of using Microsoft Word documents with malicious macros to download the payload; while the social-engineering involved the Norton brand, with messages claiming to scan and secure the attached documents. A second campaign was however more complex, according to Proofpoint, and carried out by TA505.
“On October 11, we observed another email campaign distributing tRAT, this time by TA505,” they said in a posting on Thursday. “This campaign was more sophisticated, using both Microsoft Word and Microsoft Publisher files, and varying subject lines and senders. This campaign appeared to target users at commercial banking institutions…. purporting to be from ‘Invoicing,’ with various sending addresses.”
In all cases, the attachments contained macros that, when enabled, downloaded tRat.
The remote access trojan is notable in that it achieves persistence by copying the binary to an Adobe Flash Player folder; then, it creates a LNK file in the Startup directory that executes the malware on startup.
It then uses TCP port 80 for command and control (C2) communications, with all data encrypted and transmitted hex-encoded. Most interestingly however, Proofpoint said that the only supported command in the loader for now is the straightforwardly named “MODULE,” which can be used to send the malware additional pieces of code. To receive a module, tRat has a sequence of actions that it must follow.
“Once decrypted, the modules are loaded as a DLL and executed using the received export name,” the team explained.
What these modules might do is for now, a cipher: “Currently we have not observed any modules delivered by a C&C, so we are unsure of what functionality they might add,” the researchers noted. However, the fact that its functionality can be enhanced over time “mirrors a broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors,” they added.
The fact that part of tRat’s functionality is unknown extends to other parts of the analysis. For instance, Proofpoint discovered that to generate the decryption key it uses a 1,536-byte table – however, it’s unclear if the keys change from infection to infection. Proofpoint researchers also observed the malware assigning the infected host a “Bot ID” – but it’s unclear how this is generated or what its purpose is.
All of this points to evidence that the malware is in a testing phase – which becomes notable given that TA505 is trialing it. The group is an APT actor that’s known for the volume, frequency and sophistication of its campaigns; it’s been around since 2014, carrying out both financial and nation-state work. Perhaps most infamously, it’s responsible for mass campaigns delivering the Locky ransomware in 2016 and 2017.
TA505 is the one of the most prolific actors out there, according to Proofpoint. The group was responsible for hundreds of Dridex campaigns beginning in 2014 in addition to the massive Locky campaigns that came later. In all cases, hundreds of millions of malicious messages were distributed worldwide.
“TA505 tends to move the needle on the email threat landscape,” Proofpoint noted. “It is not unusual for the group to test new malware and never return to distributing it, as they have with BackNet, Cobalt Strike, Marap, Dreamsmasher and even Bart during their ransomware campaigns. However, we observe these new strains carefully as they have also adopted new malware like Locky or less widely distributed malware like FlawedAmmyy at scale following similar tests.”