November 20, 2018 By David Bisson < 1 min read

Researchers spotted the TA505 threat group spreading a previously undocumented remote access Trojan (RAT) called tRaT.

In the fall of 2018, Proofpoint observed two email campaigns used to deliver tRat, a new modular RAT written in Delphi. Researchers spotted the first on Sept. 27. For that operation, unknown attackers abused the Norton antivirus brand to trick users into enabling content for malicious Microsoft Word documents.

The researchers detected the second campaign on Oct. 11. In that attack, a well-known threat actor group known as TA505 sent out emails with either malicious Microsoft Publisher documents or Microsoft Word attachments with different subject lines and senders. These emails specifically targeted customers of commercial banking institutions.

TA505 and the Growth of Remote Access Trojans

This isn’t the first time TA505, a financially motivated actor known for shifting with the times, has employed RATs to target users. In March and April, Proofpoint observed that the group began launching campaigns designed to infect users with the FlawedAmmyy RAT using the Quant Loader malware. These attacks involving FlawedAmmyy continued through June.

Interestingly, TA505 isn’t the only group that’s shown increased interest in FlawedAmmyy. Check Point researchers discovered several campaigns distributing the threat through the summer and early fall. This activity helped make FlawedAmmyy the first remote access Trojan to ever earn a spot on the security firm’s “Most Wanted Malware” list in October 2018.

How to Defend Against tRat

Security professionals can help their organizations defend against remote access Trojans like tRat by using tools such as VBA editor and oledump.py to analyze the macro code in suspect Microsoft Office documents. They should also investigate the static properties of potentially malicious documents by looking up the file hashes in a public malware sandbox.

Sources: Proofpoint, Proofpoint(1), Check Point

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today