New remote access trojan Trochilus uncovered in Seven Pointed Dagger attack

David bisson
David Bisson

Seven Pointed Dagger attack
Security researchers have uncovered a new remote access trojan (RAT) called Trochilus with reportedly low detection rates by anti-virus software.

Trochilus was uncovered after researchers at Arbor Networks followed a trail left by malware that was seemingly targeting the-powers-that-be in Myanmar.

In a blog post, Arbor’s Security Engineering & Response Team (ASERT) explains that the malware was placed on Myanmar government and Myanmar-related websites seemingly as part of a “watering hole” attack designed to infect the typical visitors to such sites.

Amongst the sites found to be harbouring malicious code was the website of the Myanmar Union Election Commission.

Myanmar site malware

“Following the trail of emergent threat activity, ASERT has discovered a new Remote Access Trojan (RAT) in use called the Trochilus RAT (pronounced ‘tro kil us’) that offers the usual array of RAT functionality and featured minimal or no detection from anti-malware software at the time of discovery.”

Initial analysis suggests that the TrochilusRAT is extremely rare.

In fact, in its technical report, ASERT admits that while other intelligence analysts might have come across Trochilus before, it was unable to find “any public reference to this malware being used in targeted campaigns.”

Sign up to our free newsletter.
Security news, advice, and tips.

The RAT was found in a cluster of seven malware that includes PlugX, EvilGrab, an unknown malware, and a 3102 variant of the 9002 RAT in the Firefox plugin. ASERT has dubbed this cluster the “Seven Pointed Dagger” for its collective ability to conduct espionage and move laterally throughout networks.

Arbor Networks attributes the Seven Pointed Dagger to a hacking gang known as Group 27. At this time, it is unclear who is behind this threat actor, but as John Leyden of The Register reports, either China or North Korea could feasibly be responsible.

Rat code

Myanmar was the original target of the Seven Pointed Dagger attack. However, ASERT notes that its threat capabilities could be used to target other entities, including non-government organizations.

For a detailed analysis of ASERT’s findings, the tactics deployed and details of indications of commpromise, please read the full report from Arbor Networks.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.