tRat
TRat is a Remote Access Trojan or RAT that grants threat actors remote access to the infected PC. TRat contacts a C&C server over a static port and accepts additional instructions, including loading modules for other attacks. Keep your anti-malware programs updated for removing tRat securely and be cautious when interacting with potential infection vectors, such as e-mail attachments.
The Next Big Banking Problem
The threat actors' team who've deployed large-scale campaigns for threats like the AMMYY Admin, the Globe Imposter Ransomware, and Dridex is moving on to another means of assaulting the banking sector, although they're not the only exploiters of this Trojan software. TRat offers the expected features of any backdoor Trojan or RAT, along with modular capabilities for a flexible, long-term payload. Although more than one set of criminals are using tRat, both campaigns, for now, share common ground: abusing Word exploits.
TRat is a Delphi-based threat, and only one of its fall-dated campaigns is targeting banks. However, malware experts can isolate the infection strategies for both of the two series of attacks to spam e-mails, with slightly different disguises depending on the target, such as a fake Norton security documentation, TripAdvisor videos or workplace memos. All variants use Publisher or Word document-embedded macros, which the victim must enable manually, for triggering the drive-by-download that installs tRat.
TRat uses the port 80 for contacting its Command & Control server and awaiting future instructions. From this point, a remote attacker may access the PC with the intent of collecting data, dropping more threats with different sets of features or modifying the system in other ways, such as by disabling security features or deleting backups. The fact that malware analysts are confirming the tRat's support of modules increases the difficulty of fully outlining all implications from infections since this compartmentalized organization supports different attacks per module.
When a RAT Infestation Shouldn't Get Out of Hand
With tRat in active deployment from more than one source, malware researchers can't rule out infection strategies other than those that are noted earlier in this article, such as exploit kits or brute-force attacks. The recurring element of an e-mail attachment for infection is, however, reliable sufficiently that all employees with network access on their work machines should prepare themselves against it. Updated Microsoft Office programs will not load the corrupted macros automatically, and most security products should identify the attachment's nature as a threat.
Besides noting the network activity that tRat causes through the previously-noted port, the users may identify a persistent tRat infection from the 'bfhost.lnk' shortcut that it adds to the Windows Startup. As with other, backdoor-capable threats, malware experts advise keeping the PC out of contact with other systems and disabling its network connections until you disinfect it. Most reputable anti-malware products should remove tRat safely.
TRat isn't poorly-designed or low-budget, but even a high-level threat like a professional Remote Access Trojan requires an entry point into your computer. Employee training and a healthy level of suspicion about unusual downloads can protect both the PC you're working from and the entirety of an economically-indispensable industry.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.