The prolific APT group TA505 is conducting spam email campaigns spreading a new, modular malware variant named tRAT. tRAT malware is a remote access Trojan capable of downloading additional modules. In addition to adding infected users to a botnet, the threat actors have the option of selling access to different elements of the malware to other threat groups for use in different attacks.
Threat researchers at Proofpoint intercepted two separate email campaigns spreading tRAT malware this fall, one of which was a standard spam email campaign using social engineering techniques to get email recipients to open an attached Word document and enable macros. Enabling macros triggered the download of the tRAT payload.
One email variant spoofed AV brand Norton. The attachment included Norton by Symantec branding and text claiming the document had been secured by the AV solution. Another email variant spoofed TripAdvisor and claimed that in order to view the embedded video content, users needed to enable content.
The second campaign, identified on October 11, was attributed to the TA505 threat group. This campaign was more sophisticated, used a combination of Word Documents and Microsoft Publisher files, and targeted commercial banking institutions. Many different email templates were used, and the emails came from multiple email accounts. Themes included fake invoices and reports of call notifications. TA505 similarly used macros to download the tRAT payload.
tRAT achieves persistence by copying the binary to C:\Users\<user>\AppData\Roaming\Adobe\Flash Player\Services\Frame Host\fhost.exe and creating a LNK file to run the binary on start up.
At this stage, Proofpoint is still analyzing tRAT and the full functionality of the malware is not yet known. Neither are the motives of the attackers nor the additional modules that may be downloaded. Proofpoint has suggested that tRAT is currently being trialed by the TA505 APT group based on the scale of the campaign. TA505 is best known for conducting large-scale campaigns – such as mass Locky ransomware attacks in 2016 and 2017 and large-scale spam campaigns distributing the Dridex banking Trojan.
The TA505 threat group has been known to conduct tests of new malware variants, some of which are adopted while others are dropped. Whether TA505 will persist with tRAT remains to be seen, although this new malware certainly does have potential to become a major threat.