Researchers spotted the TA505 threat group spreading a previously undocumented remote access Trojan (RAT) called tRaT.

In the fall of 2018, Proofpoint observed two email campaigns used to deliver tRat, a new modular RAT written in Delphi. Researchers spotted the first on Sept. 27. For that operation, unknown attackers abused the Norton antivirus brand to trick users into enabling content for malicious Microsoft Word documents.

The researchers detected the second campaign on Oct. 11. In that attack, a well-known threat actor group known as TA505 sent out emails with either malicious Microsoft Publisher documents or Microsoft Word attachments with different subject lines and senders. These emails specifically targeted customers of commercial banking institutions.

TA505 and the Growth of Remote Access Trojans

This isn’t the first time TA505, a financially motivated actor known for shifting with the times, has employed RATs to target users. In March and April, Proofpoint observed that the group began launching campaigns designed to infect users with the FlawedAmmyy RAT using the Quant Loader malware. These attacks involving FlawedAmmyy continued through June.

Interestingly, TA505 isn’t the only group that’s shown increased interest in FlawedAmmyy. Check Point researchers discovered several campaigns distributing the threat through the summer and early fall. This activity helped make FlawedAmmyy the first remote access Trojan to ever earn a spot on the security firm’s “Most Wanted Malware” list in October 2018.

How to Defend Against tRat

Security professionals can help their organizations defend against remote access Trojans like tRat by using tools such as VBA editor and oledump.py to analyze the macro code in suspect Microsoft Office documents. They should also investigate the static properties of potentially malicious documents by looking up the file hashes in a public malware sandbox.

Sources: Proofpoint, Proofpoint(1), Check Point