A new modular malware written in Delphi dubbed tRat has scurried into the spotlight, after making its debut in large spam campaigns this fall.
The remote-access trojan has yet to show all of its cards to researchers, and seems to be in a testing phase, but the fact that well-known APT group
TA505 is the one using it makes it bear watching, according to researchers.
Proofpoint researchers first spotted tRat being used in a pair of spam campaigns launched in September and October. The first campaign trod the well-worn path of using Microsoft Word documents with malicious macros to download the payload; while the social-engineering involved the Norton brand, with messages claiming to scan and secure the attached documents. A second campaign was however more complex, according to Proofpoint, and carried out by TA505.
“On October 11, we observed another email campaign distributing tRAT, this time by TA505,” they said in
a posting on Thursday. “This campaign was more sophisticated, using both Microsoft Word and Microsoft Publisher files, and varying subject lines and senders. This campaign appeared to target users at commercial banking institutions…. purporting to be from ‘Invoicing,’ with various sending addresses.”
In all cases, the attachments contained macros that, when enabled, downloaded tRat.
The remote access trojan is notable in that it achieves persistence by copying the binary to an Adobe Flash Player folder; then, it creates a LNK file in the Startup directory that executes the malware on startup.
It then uses TCP port 80 for command and control (C2) communications, with all data encrypted and transmitted hex-encoded. Most interestingly however, Proofpoint said that the only supported command in the loader for now is the straightforwardly named “MODULE,” which can be used to send the malware additional pieces of code. To receive a module, tRat has a sequence of actions that it must follow.
