A new remote access Trojan designed for cyberespionage called Trochilus can evade detection and security sandboxing....
How does this RAT accomplish this, and is Trochilus similar to other recent malware that can evade detection? Do security programs need to adapt to the threat?
Some days it seems that new RATs are a dime a dozen, and it is very easy to tune out news about new malware. The constant barrage of warnings desensitizes normal users and creates a pathological heightened state of alertness in information security professionals. Arbor Networks didn't try to do this in its colorfully named ASERT Threat Intelligence report, Uncovering the Seven Pointed Dagger. The impact on nongovernmental organizations in Myanmar from this malware, and other malware investigated by the Citizen Lab, could be significant and puts individuals in real danger.
Part of the malware ASERT investigated was the Trochilus RAT, which appears to be a newly developed remote access Trojan with standard RAT functionality. The Trochilus files were bundled with legitimate files and the installer script was built with a legitimate installer to make the malware appear legitimate. Once the installer script starts, the activities stop appearing legitimate, since the files are encoded and loaded into memory. ASERT reported Trochilus tries to evade sandbox analysis by injecting the malware into services.exe and never writing the malware to disk, but they were still able to extract the malware from memory to analyze. Once they started to analyze Trochilus, they were able to find the source code posted on GitHub to further analyze the malware. The other malware types found in the attack are a collection of custom malware and updated versions of existing malware.
The Trochilus RAT and other malware used in the Seven Pointed Dagger attack were distributed via watering holes and spear phishing attacks. Standard enterprises that already include protections for watering hole attacks, spear phishing and custom malware in their information security programs may need to ensure their tools are updated with the indicators of compromise from this attack, but they should already have the basics in place to detect and respond to this attack.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn how to detect cloaked malware that evades sandboxes
Find out how GlassRAT remained undetected
Read how Rekoobe Linux malware spreads without being detected
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.