Arbor Networks has discovered a new malware campaign targeting governmental departments and NGOs working in Myanmar.
In a new report, “Uncovering the seven pointed dagger”, Arbor Networks outlined the attack campaign and new remote access trojan (RAT) that it named Trochilus. Trochilus is either a colourful hummingbird commonly found in Jamaica or the son of Callythia and mythological inventor of the chariot.
A spokesperson from ASERT, Arbor's Security Engineering and Response Team, spoke to SCMagazineUK.com on what exactly Trochilus is capable of. “Trochilus supports a file manager type function – to allow the remote threat actor to interact with the filesystem on the compromised system, and a remote shell, to allow the execution of arbitrary commands at the discretion of threat actors.”
It doesn't stop there, though, ASERT told SC. This RAT features “the built-in capability to download and execute other programs, which could be other types of malware or other spying tools, and the inverse ability to ‘upload and execute'. It also features the capability to gather system information, which can help threat actors understand their target environment – what software is used, software versions (to look for other vulnerabilities perhaps), how the network is configured, what types of authentication is in use, etc.”
According to Arbor's report, this particular RAT targeted a number of bodies within Myanmar including the president's office, the country's Union Election Commission Office and, researchers believe, the UN Development Programme (UNDP).
But who could have carried out this kind of attack? The military government in Myanmar, known for its harsh authoritarian rule, beating up Buddhist monks and perpetual imprisonment of the democracy activist Aung San Suu Kyii, will have made its share of enemies so any number of threat actor could be responsible for the multi-pronged attack.
However, Arbor believes the culprit to be ‘Group 27', an appropriately nebulous title for a group the report merely refers to as being “driven by east Asian threat actors”. The fingerprints of the group have been seen in plenty of places before. The group is believed to be involved in plenty of attacks on the Burmese government including the president's office.
Palo Alto Networks, when reporting on the group's use of the 3102 Malware on media organisations in Europe and government departments in the US, made no bones about calling ‘Group 27' a Chinese actor.
Arbor was a little more cagey about who ‘Group 27' might really refer to. ASERT told SC that “there is not enough information available to specifically answer this question”.
However, when pressed it did admit, “some research indicates that China has a strategic interest in Myanmar from an economic standpoint and the results of the election and corresponding communication may have had a large impact on the relationship between China and Myanmar moving forward.”