New RAT Trochilus, a sophisticated weapon used by cyber spies

Researchers spotted a new espionage campaign relying on a number of RATs including the powerful Trochilus threat.

Security experts have uncovered a new remote access Trojan (RAT) named Trochilus that is able to evade sandbox analysis. The Trochilus malware was used to targeted attacks in multi-pronged cyber espionage operations.

Experts at Arbor Networks uncovered a cyber espionage campaign dubbed the Seven Pointed Dagger managed by a group dubbed “Group 27,” which used other malware including PlugX, and the 9002 RAT (3102 variant).

“Specifically, six RAR files – containing two instances of PlugX, EvilGrab, an unknown malware, and two instances of a new APT malware called the Trochilus RAT – plus an instance of the 3012 variant of the 9002 RAT were found. These seven discovered malware offer threat actors a variety of capabilities including espionage and the means to move laterally within targets in order to achieve more strategic access.” states the report.

The experts obtained the source of the malware, including a README file that details the basic functionality of the RAT.

The RAT functionalities include a shellcode extension, remote uninstall, a file manager, download and execute, upload and execute and of course, the access to the system information. Officials with Arbor Networks said the malware has “the means to move laterally within targets in order to achieve more strategic access,” as well.

The malware appears very insidious, it has the ability to remain under the radar while moving laterally within the infected systems.

Experts at Arbor Networks first uncovered traces of the Group 27’s activity in the middle 2015, but Trochilus appeared in the wild only in October 2015, when threat actors used it to infect visitors of a website in Myanmar. The threat actors compromised the Myanmar Union Election Commission’s (UEC) website, a circumstance that lead the experts to believe that threat actors are still monitoring the political evolution of the country.

The malware is very sophisticated, it operates in memory only and doesn’t use disks for its operations, for this reason it is hard to detect.

“This malware executes in memory only and the final payload never appears on disk in normal operations, however the binaries can be decoded and are subsequently easier to analyze.” states the report.

The threat actors behind the Trochilus RAT primarily used malicious email as attack vector, they included the malware in .RAR attachment.

Other security firms and independent organizations analyzed the same cyber espionage campaign, including Palo Alto Networks and Citizen Lab that published an interesting report titled “Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites.”

No doubts, malware is a privileged instrument for modern espionage, we will assist to a continuous growth for the number of RAT used by threat actors in the will and we will expect that these threats will become even more complex and hard to detect.

Pierluigi Paganini

(Security Affairs – Trochilus RAT, cyber espionage)