Brian Jackson - Fotolia
A new remote access Trojan designed for cyberespionage called Trochilus can evade detection and security sandboxing. How does this RAT accomplish this, and is Trochilus similar to other recent malware that can evade detection? Do security programs need to adapt to the threat?
Some days it seems that new RATs are a dime a dozen, and it is very easy to tune out news about new malware. The constant barrage of warnings desensitizes normal users and creates a pathological heightened state of alertness in information security professionals. Arbor Networks didn't try to do this in its colorfully named ASERT Threat Intelligence report, Uncovering the Seven Pointed Dagger. The impact on nongovernmental organizations in Myanmar from this malware, and other malware investigated by the Citizen Lab, could be significant and puts individuals in real danger.
Part of the malware ASERT investigated was the Trochilus RAT, which appears to be a newly developed remote access Trojan with standard RAT functionality. The Trochilus files were bundled with legitimate files and the installer script was built with a legitimate installer to make the malware appear legitimate. Once the installer script starts, the activities stop appearing legitimate, since the files are encoded and loaded into memory. ASERT reported Trochilus tries to evade sandbox analysis by injecting the malware into services.exe and never writing the malware to disk, but they were still able to extract the malware from memory to analyze. Once they started to analyze Trochilus, they were able to find the source code posted on GitHub to further analyze the malware. The other malware types found in the attack are a collection of custom malware and updated versions of existing malware.
The Trochilus RAT and other malware used in the Seven Pointed Dagger attack were distributed via watering holes and spear phishing attacks. Standard enterprises that already include protections for watering hole attacks, spear phishing and custom malware in their information security programs may need to ensure their tools are updated with the indicators of compromise from this attack, but they should already have the basics in place to detect and respond to this attack.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn how to detect cloaked malware that evades sandboxes
Find out how GlassRAT remained undetected
Read how Rekoobe Linux malware spreads without being detected
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading