TA505 Cybercrime Group Experimenting with a New RAT In The Wild
Apparently, the notorious cybercrime community named TA505 is very active again, this time they are heavily testing in the wild the effectiveness of a new variant of a remote access trojan. The tRAT Trojan has been linked as the malicious payload of phishing attacks that happened between September and October 2018. Prior to this experiment with tRAT, the TA505 group was last seen actively spreading malformed Publisher and Word files as part of their malicious email attack last Oct 11, 2018. Using a phishing technique where the user is persuaded to open an official-looking report under the Publisher or Word format. Simply opening the file triggers a script that phones home to a command and control server to download the rest of the malware.
“’This campaign appeared to target users at commercial banking institutions. In this campaign, messages bearing malicious Microsoft Publisher documents purported to be from ‘Invoicing’, with various sending addresses. Example subject lines were ‘Invoice [random digits] – [random digits]’ and had attachments with names such as ‘inv-399503-03948.pub’. Alternatively, the emails with malicious Microsoft Word attachments appeared to be from ‘Vanessa Brito’ with various actual sending addresses. Attachments were named ‘Report.doc’ in these messages, with example subject lines such as ‘Call Notification – [random digits] – [random digits],” explained Proofpoint in their official blog.
The attached Word or Publisher files have built-in macros; the Office VBA macros for decades has been known as an effective programming language for malware development. Due to the persistence of the use of Macros, Microsoft has made every new version of office less friendly for executing them. But this time around, the hackers were able to use phishing techniques to persuade the user to open the attachment using clever convincing messages in the email.
“Most of tRat’s important strings are stored encrypted and hex-encoded. A Python script is available [1] on our Github that can be used to decrypt its strings. tRat uses TCP port 80 for command and control (C&C) communications; data are encrypted and transmitted hex-encoded. To generate the decryption key, tRat concatenates three strings and the result is uppercase hex-encoded. s of this writing, we were not able to ascertain the meaning of all elements of the table or determine if it changes. However, we were able to determine that decryption involves XORing various values from the table with the encrypted data. Currently, we have not observed any modules delivered by a C&C, so we are unsure of what functionality they might add. TA505, because of the volume, frequency, and sophistication of their campaigns, tends to move the needle on the email threat landscape. It is not unusual for the group to test new malware and never return to distributing it as they have with BackNet, Cobalt Strike, Marap, Dreamsmasher, and even Bart during their ransomware campaigns,” concluded Proofpoint.
It is highly recommended that system admins must remain vigilant about the email traffic the network receives. A questionable email coming from unrecognized domains must be blocked by the installed antispam solution, as tRAT being a trojan horse cannot propagate itself to the network, but rather require an actual real legitimate user opens it from an innocent-looking email. Anti-malware should always be checked to make sure that its on-access real-time scanner is enabled, this will help block the RAT from performing any write operations to the disk.