Proofpoint experts report that the TA505 group (well-known operators of the Dridex banker and the Locky coder who are responsible for many malicious campaigns) have begun to use the new modular malware tRat written in Delphi.
For the first time this malware was noticed in September of the current year, and then the source of its distribution could not be identified. It was only known that tRat is distributed through malicious Word documents, which are used to download it.
The researchers write that the TA505 took tRat into service last month and was the first to use it in the attacks of October 11, 2018, while sending letters with Microsoft Word documents and Microsoft Publisher. This campaign was aimed at employees of commercial financial institutions.
On an infected machine, tRat is installed by copying its binaries to the AppData directory, and then creates an LNK file in Startup so that the binaries are executed with each new start of the system.
To communicate with the managing server, the malware uses TCP port 80, encrypts the transmitted data and uses hex. The original request that the malware sends to the remote server contains information about the infected system (computer name, username, and so on), as well as the bot ID tRat. Apparently, at present, the malware loader supports only one command, MODULE, which, as is not difficult to understand, must contain the name of the module needed to load.
Proofpoint specialists note that the TA505 group had always used complex tactics and had a hand in many large-scale campaigns, and also tested such malware as BackNet, Cobalt Strike, Marap, Dreamsmasher and Bart. However, after the testing was over, the hackers did not use the listed malware in their operations. Because of this, researchers admit that tRat testing can also end in nothing, but on the other hand, any threat in the hands of the TA505 can also become a new Locky.