Novos tipos de ratos, ou Trojans de acesso remoto, aparecer com mais freqüência do que nunca. Tais Trojans são normalmente empregadas em ataques direcionados contra empresas, organizações e governos. Uma das últimas RATs, descoberto pela Engenharia de Segurança Arbor & Response Team (ASERT) at Arbor Networks, has started malicious campaigns in South-East Asia. A similar RAT previously was detected in an attack against the government of Myanmar. The hacking team behind those attacks has been identified by Cisco’s Talos Group as Group 27.
Learn More about RATs, Corporate Attacks and Incident Response:
How was the attack carried out?
Watering hole attacks were performed on the government’s official websites. Como um resultado, users visiting the pages to access information on upcoming elections were infected with PlugX – a well-known RAT used in multiple attacks throughout 2015.
The fact that the attacks against Myanmar’s government were disclosed hasn’t stopped Group 27. According to latest reports by Arbor’s Response Team (ASERT) a new remote access Trojan, associated with the group’s activities has been released. During the time of analysis, the new RAT remained undetected by most antivirus vendors. This proves that this new piece crafted for cyber espionage is quite sophisticated. It has been dubbed Trochilus.
What is specific about Trochilus?
The latest Group 27’s RAT includes a total of six malware strains, combined in different variations in accordance with the data targeted by the criminals.
ASERT experts named the whole collection of malware the Seven Pointed Dagger. It consists of:
- Two Trochilus RAT versions;
- A version of the 3012 variante do 9002 RATO;
- An EvilGrab RAT version;
- One unknown piece of malware yet to be identified.
Security analysts believe that Group 27 didn’t care much about the fact that their initial cyber espionage campaign was detected. além disso, the group continued infecting victims via the very same entrance – the Myanmar Election Commission website.
Trochilus RAT source code uploaded on GitHub
Despite that the RAT was designed to execute in the memory of the machine (thus evading detection by AV software), ASERT researchers obtained the RAT’s source code and connected it to a GitHub profile of a user named 5loyd.
On the GitHub page, the RAT has been advertised as a fast and free Windows remote administration tool. Other details include:
- Written in CC+;
- Supports various communication protocols;
- Has a file manager module, a remote shell, a non-UAC mode;
- Able to uninstall itself;
- Able to upload information from remote machines;
- Able to download an execute files.
Researchers believe that 5loys is not a part of Group 27. More likely, the user’s profile has been hijacked by the group and used for their own purposes.
digitalizador Spy Hunter só irá detectar a ameaça. Se você quiser a ameaça de ser removido automaticamente, você precisa comprar a versão completa da ferramenta anti-malware.Saiba Mais Sobre SpyHunter Anti-Malware Ferramenta / Como desinstalar o SpyHunter