Threat Management, Malware, Phishing

Change of stRATegy? Cybercrime group TA505 tests new tRAT malware

A newly discovered remote access trojan nicknamed tRAT has apparently attracted the interest of TA505, a cybercriminal group known for launching prolific banking malware and ransomware attacks.

In a company blog post yesterday, researchers at Proofpoint reported observing  several phishing campaigns in September and October that attempted to infect victims with the malware. One of these attacks was linked to TA505, which is most frequently affiliated with Dridex and Locky malware operations.

The TA505 campaign, which Proofpoint uncovered on Oct. 11, largely targeted customers of commercial banks, attempting to infect them via emails with attached Microsoft Word and Publisher files. Some emailed claimed to be from an invoicing department, while others reported to be from an individual named Vanessa Brito. The attachments were typically disguised as invoices or reports.

The attackers would attempt to trick people into enabling malicious macros within the attached documents, thereby downloading the RAT. Proofpoint describes tRAT is a Python-based modular malware that communicates with its C2 server via TCP port 80 (typically used for HTTP). The campaign's end game remains somewhat of a mystery, as researchers have not yet been able to specifically observe any of tRAT's modular payloads or ascertain their functionality.

"TA505, because of the volume, frequency, and sophistication of their campaigns, tends to move the needle on the email threat landscape," Proofpoint explained in the blog post. "It is not unusual for the group to test new malware and never return to distributing it... However, we observe these new strains carefully, as they have also adopted new malware like Locky or less widely distributed malware like FlawedAmmyy at scale following similar tests."

The Proofpoint post also noted that the RAT campaign is in keeping with a "broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors."

Prior to TA505's operation, a less sophisticated tRAT campaign from a different actor was observed on Sept. 27. This scan also used Word documents with malicious macros, but in this case the emails impersonated Symantec's Norton security brand, using subject lines like "I have securely shared file(s) with you." A second wave of spam emails from the same actor on Sept. 29 reportedly used a TripAdvisor lure instead.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds