APT group TA505 testing out new modular RAT

News by Rene Millman

tRat malware has raised its ugly head again, being distributed through a new, more sophisticated email campaign, researchers say.

New tRat malware campaign was discovered last month (pic: Ericsphotography/Getty Images)

An active APT group known as TA505 could be behind a new
modular malware package called tRat. According to security researchers at Proofpoint, the malware is written in Delphi and has appeared in campaigns in September and October of this year.

In a blog post, researchers discovered tRat in two campaigns in September and October this year. Hackers used malicious Microsoft Word documents with macros to download a previously undocumented RAT. The documents abused the Norton brand, with the document names and embedded image suggesting that they were protected by a security product. This particular campaign was spread by an unattributed actor.

But, according to researchers, APT group TA505 carried out a more complicated campaign.

"On 11 October, we observed another email campaign distributing tRAT, this time by TA505. This campaign was more sophisticated, using both Microsoft Word and Microsoft Publisher files and varying subject lines and senders. This campaign appeared to target users at commercial banking institutions," said researchers.

Both campaigns downloaded the tRat malware. The tRat malware achieves persistence by copying the binary to an Adobe Flash Player folder, then creates a LNK file in the Startup directory that executes the binary on startup.

It uses TCP port 80 for command and control (C&C) communications, data are encrypted and transmitted hex-encoded. To generate the decryption key, tRat concatenates three strings and the result is uppercase hex-encoded.

"It is currently unclear whether these strings change from sample to sample. In addition to generating a key, tRat uses a 1536-byte table in the decryption process," said researchers.

They added that they were not able to ascertain the meaning of all elements of the table or determine if it changes. The malware was also observed to assign the infected host a "Bot ID", but it was unclear to researchers how this was generated or its purpose.

Researchers said that the only supported command in the loader is "MODULE," which contains at least a module name and export name.

"The module itself is encrypted similarly to the C&C communications, but appears to use different keys that are sent with the module," said researchers. "Once decrypted, the modules are loaded as a DLL and executed using the received export name."

They added that they have not observed any modules delivered by a C&C, "so we are unsure of what functionality they might add".

As the malware is modular, hackers can enhance the malware in the future and this, according to them, "mirrors a broader shift towards loaders, stealers and other malware designed to reside on devices and provide long-term returns on investment to threat actors".

Researchers said that the malware is in a testing phase by TA505.

"TA505, because of the volume, frequency and sophistication of their campaigns, tends to move the needle on the email threat landscape," said researchers. "It is not unusual for the group to test new malware and never return to distributing it as they have with BackNet, Cobalt Strike, Marap, Dreamsmasher and even Bart during their ransomware campaigns."

Dr Guy Bunker, SVP of products at Clearswift, told SC Media UK that the commercialisation of malware has been around for a while and this is another example where you can ‘buy’ a vulnerability or exploit and then decide how you want to put the rest together.

"It might be that you choose the credential harvesting option, or perhaps its file exfiltration or encryption (ransomware). The sophistication of attacks is such that the major attacks today are developed by professionals who then sell their wares to whoever will buy," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews