ThreatSTOP Blog

I Smell a (Trochulis) RAT

Written by threatstopbme | January 30, 2016

BACKGROUND

A RAT or, Remote Access Trojan, enables attackers to remotely control malware residing on a victim’s machine to steal or corrupt data. The Trochilus RAT was discovered last October by Arbor Networks when threat actors used it to infect visitors to a website in Myanmar. The threat actors compromised the Myanmar Union Election Commission’s (UEC) website around the time of the nation’s first election since 2011.

Read more here: https://wp.me/p3AjUX-u8F

MEANING OF THE NAME

Analysts revealed a connection to source code shared at https://github[.]com/5loyd/trochilus known as the Trochilus RAT. Trochilus is a character from Greek mythology credited with inventing the chariot, but the word also means “a kind of small bird” and can refer to several types of hummingbirds. A third meaning comes from architecture, however, the exact meaning intended by the developer is unknown.

CAPABILITIES

The Trochulis RAT is specifically engineered to evade detection by sandboxing and other more traditional signature-based malware detection techniques. The RAT runs only on memory and not on the hard disk, and leaves little trace behind so it is difficult to detect. Sandboxing is used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device. Trochulis RAT can evade even best-in-class sandboxing technologies.

With an ability to move laterally between targets, it can jeopardize an entire network.

Additional capabilities

  • Download/upload and execute
  • Remote uninstall
  • File manager

PART OF SOMETHING BIG

Trochulis RAT is part of a cluster of seven malwares called the “Seven Pointed Dagger,” which is being operated by sophisticated attackers dubbed by researchers as Group 27. Researchers consider this as a multi-stage attack campaign, targeting Asian governments and (perhaps, in the future) non-government organizations.

ThreatSTOP ADVANTAGE

When dealing with such evasive malware, standard techniques of blocking incoming malicious traffic, such as signature-based blocking and sandboxing, can be powerless. Once a device has been compromised, the malware can be remotely controlled and send private information home to the attackers. ThreatSTOP technology isolates the malware and prevents its ability to steal data by blocking the communications channels with its command and control.

ThreatSTOP began blocking the indicators for this campaign on January 14, 2016.