14 DAY TRIAL // A new Delphi-based modular Remote Access Trojan dubbed tRat was spotted by Proofpoint's research team while being distributed during September and October 2018 spam campaigns by the TA505 threat group.
The APT group behind the newly discovered RAT malware was also found responsible for the 2014 Dridex campaign and the Locky campaign that ran from 2016 to 2017.
TA505 has also been observed peddling other malware payloads, from Shifu and The Trick banking trojan and the Necurs botnet to the even more dangerous Jaff, Bart, Philadelphia, and GlobeImposter ransomware strains, all of them distributed through vast spam campaigns designed to compromise as many victims as possible with the least amount of effort.
While TA505 used the September spam campaign to distribute their new tRat malware via maliciously crafted Microsoft Word documents designed to use macros to drop the RAT onto target machines, the October attack was a lot more complex.
Moreover, during October, tRat was pushed onto potential victims using "using both Microsoft Word and Microsoft Publisher files, and varying subject lines and senders. This campaign appeared to target users at commercial banking institutions."
tRat uses encrypted data channels to communicate with its C&C servers
tRat achieves persistence on compromised systems using multiple methods and using the TCP port 80 to communicate with its command-and-control (C&C) servers using encrypted and hex-encoded channels.
At the moment, the command list used by TA505 to control the RAT is not yet known, with Proofpoint only being able to dig up only the "MODULE" command but no information was unearthed on what extra modules this command adds to the tRAT malware.
According to Proofpoint, TA505's "adoption of RATs this year mirrors a broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors."
Furthermore, TA505's latest attacks should be quite profitable given that their October campaign is known to have targeted commercial banking institutions and the tRat malware is expected to compromise a large number of targets considering that the APT is known to operate at a massive scale.