Pierluigi Paganini November 16, 2018

The threat actor TA505 behind many Dridex and Locky campaigns have been using a new Remote Access Trojan (RAT) dubbed tRat.

Researchers at Proofpoint warns that the threat actor TA505 have been using a new Remote Access Trojan (RAT) dubbed tRat that implements a modular structure that was written in Delphi.

The TA505 operates on a large scale, it was behind other major campaigns leveraging the Necurs botnet to deliver other malware, including the Locky ransomware, the Jaff ransomware, and the Dridex banking Trojan.

The new strain of malware was first discovered at the end of September when it was distributed through weaponized Word documents that download the RAT.

Attackers used documents that abused the Norton brand, subject lines on the messages reinforced the social engineering, stating “I have securely shared file(s) with you.”

At the time of the discovery, the experts did not attribute it to a specific threat actor, but in October researchers found evidence of use made by TA505.

“More recently, the group has been distributing a variety of remote access Trojans (RATs), among other information gathering, loading, and reconnaissance tools, including a previously undescribed malware we have dubbed tRat.” reads the analysis published by Proofpoint.

“tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of this year (one of them by TA505). “

Researchers noticed it was involved in a spam campaign on October 11, attackers used both Microsoft Word and Microsoft Publisher files for spread the malicious code.

Hackers used the tRat malware to target users at commercial banking institutions.

The RAT gain persistence by copying the binary to a directory in the AppData folder, then it creates an LNK file in the Startup directory to make the binary get executed everytime the system restarts.

The tRat malware connects to the C2 through the TCP port 80, the connection is encrypted and data is transmitted in hex-encoded.

Once infected the system, the RAT sends to C2 the system information including computer name, system username, and tRat bot ID.

tRat could receive a module by performing the following sequence of actions:

• Send “[GET_MODULE]”
• If “[WAIT_FOR_AUTH_INF]” is received, send AUTH_INF data
• If “[WAIT_FOR_MODULE_NAME]” is received, send module name
• The response could be one of the following:
  • “[ERR_MODULE_NOT_FOUND]”
  • “[ACCESS_DENIED]”
  • Module length
• If module length is received, send a “[READY]”
• Receive module
• The module itself is encrypted similarly to the C&C communications, but appears to use different keys that are sent with the module
• Once decrypted, the modules are loaded as a DLL and executed using the received export name

At the time of writing, the researchers have not yet observed any modules delivered by a C2.

“TA505, because of the volume, frequency, and sophistication of their campaigns, tends to move the needle on the email threat landscape.”

“However, we observe these new strains carefully as they have also adopted new malware like Locky or less widely distributed malware like FlawedAmmyy at scale following similar tests. Moreover, their adoption of RATs this year mirrors a broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors,” Proofpoint concludes.

Additional details such as IoCs are included in the report published by Proofpoint.

Pierluigi Paganini

(Security Affairs – TA505, tRat)

[adrotate banner=”5″]

[adrotate banner=”13″]