Security researchers have uncovered a new remote access trojan (RAT) called Trochilus with reportedly low detection rates by anti-virus software.
Trochilus was uncovered after researchers at Arbor Networks followed a trail left by malware that was seemingly targeting the-powers-that-be in Myanmar.
In a blog post, Arbor’s Security Engineering & Response Team (ASERT) explains that the malware was placed on Myanmar government and Myanmar-related websites seemingly as part of a “watering hole” attack designed to infect the typical visitors to such sites.
Amongst the sites found to be harbouring malicious code was the website of the Myanmar Union Election Commission.
“Following the trail of emergent threat activity, ASERT has discovered a new Remote Access Trojan (RAT) in use called the Trochilus RAT (pronounced ‘tro kil us’) that offers the usual array of RAT functionality and featured minimal or no detection from anti-malware software at the time of discovery.”
Initial analysis suggests that the TrochilusRAT is extremely rare.
In fact, in its technical report, ASERT admits that while other intelligence analysts might have come across Trochilus before, it was unable to find “any public reference to this malware being used in targeted campaigns.”
The RAT was found in a cluster of seven malware that includes PlugX, EvilGrab, an unknown malware, and a 3102 variant of the 9002 RAT in the Firefox plugin. ASERT has dubbed this cluster the “Seven Pointed Dagger” for its collective ability to conduct espionage and move laterally throughout networks.
Arbor Networks attributes the Seven Pointed Dagger to a hacking gang known as Group 27. At this time, it is unclear who is behind this threat actor, but as John Leyden of The Register reports, either China or North Korea could feasibly be responsible.
Myanmar was the original target of the Seven Pointed Dagger attack. However, ASERT notes that its threat capabilities could be used to target other entities, including non-government organizations.
For a detailed analysis of ASERT’s findings, the tactics deployed and details of indications of commpromise, please read the full report from Arbor Networks.