TA505 APT Group Dispersing tRat Malware in New Fraud Campaigns

November 22, 2018


The abounding APT group TA505 is carrying out fraud electronic mail campaigns dispersing a new, modular malware variation called tRAT. tRAT malware is a distant access Trojan capable of downloading extra modules. Besides adding infected users to a botnet, the danger actors have the option of vending access to various elements of the malware to other danger groups for use in different attacks.

Threat scientists at Proofpoint interrupted two separate electronic mail campaigns dispersing tRAT malware this fall, one of which was a typical fraud electronic mail campaign using social engineering methods to get electronic mail receivers to open an attached Word document and allow macros. Allowing macros caused the download of the tRAT payload.

One electronic mail variation deceived AV brand Norton. The attachment contained Norton by Symantec branding and text declaring the document had been safeguarded by the AV solution. One more electronic mail variation fooled TripAdvisor and claimed that in order to see the embedded video content, users needed to enable content.

The second campaign, recognized on October 11, was attributed to the TA505 threat group. This campaign was more stylish, used a blend of Word Documents and Microsoft Publisher files, and targeted commercial banking organizations. Many different electronic mail templates were used, and the electronic mails came from many electronic mail accounts. Subjects included bogus bills and reports of call notifications. TA505, in the same way, used macros to download the tRAT payload.

tRAT attains perseverance by copying the binary to C:\Users\<user>\AppData\Roaming\Adobe\Flash Player\Services\Frame Host\fhost.exe and generating an LNK file to run the binary on startup.

At this phase, Proofpoint is still studying tRAT and the complete functionality of the malware is not yet known. Neither are the intentions of the attackers nor the additional modules that may be downloaded. Proofpoint has proposed that tRAT is presently being trialed by the TA505 APT group based on the scale of the campaign. TA505 is best recognized for carrying out large-scale campaigns – such as mass Locky ransomware attacks in 2016 and 2017 and large-scale fraud campaigns distributing the Dridex banking Trojan.

The TA505 danger group has been known to carry out tests of new malware variations, some of which are adopted while others are discarded. Whether TA505 will continue with tRAT remains to be seen, even though this new malware definitely does have the capacity to become the main danger.