TA505 APT Group Dispersing tRat Malware in New Spam Campaigns

The abounding APT group TA505 is carrying out spam electronic mail campaigns dispersing a new, modular malware variation called tRAT. tRAT malware is a distant accessTrojan capable of downloading extra modules. Besides adding infected users to a botnet, the danger actors have the option of vending access to various elements of the malware to other danger groups for use in different attacks.

Threat scientists at Proofpoint interrupted two separate electronic mail campaigns dispersing tRAT malware this fall, one of which was a typical spam electronic mail campaign using social engineering methods to get electronic mail receivers to open an attached Word document and allow macros. Allowing macros caused the download of the tRAT payload.

One electronic mail variation deceived AV brand Norton. The attachment contained Norton by Symantec branding and text claiming the document had been safeguarded by the AV solution. One more electronic mail variation fooled TripAdvisor and claimedthat in order to see the embedded video content, users needed to enablecontent.

The second campaign, identified on October 11, was attributed to the TA505 threat group. This campaign was more stylish, used a blend of Word Documents and Microsoft Publisher files, and targeted commercial banking organizations. Many different electronic mail templates were used, and the electronic mails came from many electronic mail accounts. Subjects included bogus bills and reports of call notifications. TA505, in the same way, used macros to download the tRAT payload.

tRAT attains perseverance by copying the binary to C:\Users\<user>\AppData\Roaming\Adobe\FlashPlayer\Services\FrameHost\fhost.exe and generating an LNK file to run the binary on startup.

At this phase, Proofpoint is still studying tRAT and the complete functionality of the malware is not yet known. Neither are the intentions of the attackers nor the additional modules that may be downloaded. Proofpoint has proposed that tRAT is presently being trialed by the TA505 APT group based on the scale of the campaign. TA505 is best recognized for carrying out large-scale campaigns –such as mass Locky ransomware attacks in 2016 and 2017 and large-scale spam campaigns distributing the Dridex banking Trojan.TheTA505 danger group has been known to carry out tests of new malware variations, some of which are adopted while others are discarded. Whether TA505 will continue with tRAT remains to be seen, even though this new malware definitely does havethe capacity to become the main danger.