Brian Jackson - Fotolia

Manage Learn to apply best practices and optimize your operations.

How does the Trochilus RAT evade detection and sandboxing?

The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their security programs.

A new remote access Trojan designed for cyberespionage called Trochilus can evade detection and security sandboxing. How does this RAT accomplish this, and is Trochilus similar to other recent malware that can evade detection? Do security programs need to adapt to the threat?

Some days it seems that new RATs are a dime a dozen, and it is very easy to tune out news about new malware. The constant barrage of warnings desensitizes normal users and creates a pathological heightened state of alertness in information security professionals. Arbor Networks didn't try to do this in its colorfully named ASERT Threat Intelligence report, Uncovering the Seven Pointed Dagger. The impact on nongovernmental organizations in Myanmar from this malware, and other malware investigated by the Citizen Lab, could be significant and puts individuals in real danger.

Part of the malware ASERT investigated was the Trochilus RAT, which appears to be a newly developed remote access Trojan with standard RAT functionality. The Trochilus files were bundled with legitimate files and the installer script was built with a legitimate installer to make the malware appear legitimate. Once the installer script starts, the activities stop appearing legitimate, since the files are encoded and loaded into memory. ASERT reported Trochilus tries to evade sandbox analysis by injecting the malware into services.exe and never writing the malware to disk, but they were still able to extract the malware from memory to analyze. Once they started to analyze Trochilus, they were able to find the source code posted on GitHub to further analyze the malware. The other malware types found in the attack are a collection of custom malware and updated versions of existing malware.

The Trochilus RAT and other malware used in the Seven Pointed Dagger attack were distributed via watering holes and spear phishing attacks. Standard enterprises that already include protections for watering hole attacks, spear phishing and custom malware in their information security programs may need to ensure their tools are updated with the indicators of compromise from this attack, but they should already have the basics in place to detect and respond to this attack.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn how to detect cloaked malware that evades sandboxes

Find out how GlassRAT remained undetected

Read how Rekoobe Linux malware spreads without being detected

This was last published in June 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal