A new remote access Trojan designed for cyberespionage called Trochilus can evade detection and security sandboxing....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
How does this RAT accomplish this, and is Trochilus similar to other recent malware that can evade detection? Do security programs need to adapt to the threat?
Some days it seems that new RATs are a dime a dozen, and it is very easy to tune out news about new malware. The constant barrage of warnings desensitizes normal users and creates a pathological heightened state of alertness in information security professionals. Arbor Networks didn't try to do this in its colorfully named ASERT Threat Intelligence report, Uncovering the Seven Pointed Dagger. The impact on nongovernmental organizations in Myanmar from this malware, and other malware investigated by the Citizen Lab, could be significant and puts individuals in real danger.
Part of the malware ASERT investigated was the Trochilus RAT, which appears to be a newly developed remote access Trojan with standard RAT functionality. The Trochilus files were bundled with legitimate files and the installer script was built with a legitimate installer to make the malware appear legitimate. Once the installer script starts, the activities stop appearing legitimate, since the files are encoded and loaded into memory. ASERT reported Trochilus tries to evade sandbox analysis by injecting the malware into services.exe and never writing the malware to disk, but they were still able to extract the malware from memory to analyze. Once they started to analyze Trochilus, they were able to find the source code posted on GitHub to further analyze the malware. The other malware types found in the attack are a collection of custom malware and updated versions of existing malware.
The Trochilus RAT and other malware used in the Seven Pointed Dagger attack were distributed via watering holes and spear phishing attacks. Standard enterprises that already include protections for watering hole attacks, spear phishing and custom malware in their information security programs may need to ensure their tools are updated with the indicators of compromise from this attack, but they should already have the basics in place to detect and respond to this attack.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn how to detect cloaked malware that evades sandboxes
Find out how GlassRAT remained undetected
Read how Rekoobe Linux malware spreads without being detected
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.