Trochilus RAT Discovered in Multi-Pronged Government Attack

Written by

A multi-pronged attack campaign involving various government websites and non-governmental organizations in Asia has been uncovered. At its heart is the recently-discovered remote access trojan (RAT) named ‘Trochilus.’

According to Arbor Networks, the campaign is believed to be driven by East Asian threat actors, and represents the first instance of the Trochilus RAT observed by Arbor’s Security Engineering & Response Team (ASERT) on the global internet.

In 2015, Arbor Networks and other research organizations discovered that the PlugX and EvilGrab malware was targeting government websites in Asia, using watering-hole methods involving websites operated by the government of Myanmar and associated with recent elections. After delivering initial findings to the regional Computer Emergency Response Teams (CERTs), additional malware was subsequently discovered and removed from related sites—and some of the samples turned out to be from the Trochilus RAT family.

Altogether, Arbor uncovered a seven-piece malware cluster, rather wonderfully dubbed the “Seven Pointed Dagger,” [PDF] which offers threat actors a variety of capabilities, including espionage and the means to move laterally within target networks in order to achieve more strategic access. Trochilus is part of the panoply.

“Following the trail of emergent threat activity, ASERT has discovered…the Trochilus RAT (pronounced “tro kil us”) that offers the usual array of RAT functionality and featured minimal or no detection from anti-malware software at the time of discovery,” Arbor researchers noted in an ASERT Threat Intelligence Report. “Trochilus appears to be somewhat rare so far, however it has been clustered with other malware used by Group 27 to include PlugX, the 9002 RAT (3102 variant), EvilGrab and others.”

Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years, the firm pointed out—but this campaign is notable for the fact that it is using so many layers and types of malware to achieve its objectives (presumably, information exfiltration). Evidence also suggests that the perpetrators are casting a wide net.

“The presence of new malware after the initial notification process from Arbor indicates an ongoing campaign and suggests persistent, resourceful actors are involved,” researchers said. They added, “While activity involving Myanmar was the initial entryway into analysis of this threat campaign, additional analysis suggests that the campaign extends further.”

Photo © Memo Angeles

What’s hot on Infosecurity Magazine?