- TA505 is a highly active threat group that has previously distributed Dridex, Locky, and other malware variants.
- tRAT is a modular malware, written in Delphi, that is currently being used in a reconnaissance campaign targeting financial institutions.
A new modular malware called tRAT has been discovered recently. The reconnaissance malware is being leveraged by the APT group TA505. tRAT is currently being used to target financial institutions and is being distributed via phishing campaigns.
So far, security researchers at Proofpoint have uncovered two campaigns - one that began in September and another that was launched in October. Researchers believe that TA505 may merely be testing tRAT to determine its effectiveness. The hacker group has previously been observed testing other reconnaissance malware, such as Marap and FlawedAmmy, before abandoning them.
TA505 has been active for quite a few years. In 2014, the threat group pushed out hundreds of Dridex campaigns. Between 2016 and 2017, TA505 launched massive Locky campaigns that were responsible for distributing millions of malicious emails.
“TA505, because of the volume, frequency, and sophistication of their campaigns, tends to move the needle on the email threat landscape,” Proofpoint researchers. “It is not unusual for the group to test new malware and never return to distributing it as they have with BackNet, Cobalt Strike, Marap, Dreamsmasher, and even Bart during their ransomware campaigns.”
“Moreover, their adoption of RATs this year mirrors a broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors.”