New Modular tRAT In Email Campaigns

New Modular tRAT

Now that digital world is rapidly growing, it’s becoming more difficult to escape from multiple cyber threats that are dangerous and can exploit any type of data.

These threats have a taken a leap forward and are affecting day-to-day life of many cyber security experts and of course other Internet associated profiles as well.

Talking about cyber threats, recently, one more threat has been reported by researchers at Proofpoint. This threat is said to be distributed by TA505, a group of threat actors responsible for Dridex campaigns in 2014 and Locky campaigns in 2016 & 2017. These campaigns were used to deliver tons of malicious messages through various gateways.

According to researchers at Proofpoint, the same group of actors are behind tRAT. It stands for several remote access trojans (RATs). The group is actively spreading this malware along with gathering other personal and confidential information. The malware is written in Delphi.

In September this year, reporters detected an email campaign, where infected Microsoft Word documents use macros to recover previous version of RAT installed in system. These documents display a Norton brand saying that your system is protected by security software.

tRAT In Email Campaigns
Image Source: proofpoint

 

Also Read :  FlawedAmmyy Remote Access Trojan Distributed via Phishing Emails Taking Control of Computer

As soon as the document is furthermore explored, a security warning saying, ‘Macros have been disabled.’ is prompted on user’s screen, where it asks users to enable macros. As user enables content, tRAT is installed on system.

Same campaign was executed on the name of travel brand TripAdvisor. This way malicious actors use stolen branding and social engineering to fool users and to enable macros.

Then later in October this year, Proofpoint analyzed one more campaign spreading tRAT. This time it was the same active actors TA505. This update was more complicated when compared to September one.

This time it has Microsoft Word and Microsoft Publisher files, with several subjects and list of senders. The targeted audience this time was commercial and banking institutions.

As stated by Proofpoint, this campaign has subject lines such as “Invoice (sic) [random digits] – [random digits]”. And consisted of attachments namely “inv-399503-03948.pub”. Other malicious Microsoft Word attachments were from sender ‘Vanessa Brito’, with multiple sending addresses. Every case mentioned display a security warning for enabling macros, and once enabled, it installs tRAT on system.

tRAT In Email Campaigns
Image Source: proofpoint

How tRAT Works?

There are multiple steps that tRAT performs to take control of the system, which are as follows:

1. First, tRAT copies the code to location:

C:\Users\<user>\AppData\Roaming\Adobe\Flash Player\Services\Frame Host\fhost.exe

2. After which, it generates LNK file in Startup system files, which runs the code on booting up the system.

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bfhost.lnk

3. Later, it uses TCP for C&C communications, where encrypted data is transmitted to server hosted by malicious actors. The sample of encrypted strings:

  • “Fx@%gJ_2oK”
  • “AC8FFF33D07229BF84E7A429CADC33BFEAE7AC4A87AE33ACEAAC8192A68C55A6”
  • “&LmcF#7R2m”

So, this was all folks! This was all about tRAT and its working. It is always better to take precaution than care, so it is highly recommended to keep Windows Defender and firewall enabled. You can also use some security software for the purpose. Stay safe and secure, because at last it’s our data which gets exploited.

Must Read :  Top 10 Cloud Security Threats

If you found this helpful, please let us know. You can also drop your feedback in the comment section below.