Trochilus RAT Threat Conducts Cyber-Espionage Attacks on Southeast Asia Systems Evading Detection
The Remote Access Trojan (RAT) known as Trochilus is being used against governments and civil society organizations located in South-East Asia as part of a cyber-espionage scheme. What has sparked the interest and drawn up concern for security researchers is the ability for the Trochilus RAT to evade detection by antivirus applications.
Trochilus RAT has several devious actions that it performs once loaded on a vulnerable computer. Among its actions, Trochilus RAT is able to execute in memory, which makes it difficult to detect. Essentially, Trochilus RAT can evade detection by most common antivirus applications. However, through its intrusions and various clues left behind by the threat, Trochilus RAT may be detected by antivirus programs after it has resided on a computer for a period of time.
Trochilus RAT has been found to target Myanmar government websites to infect unsuspecting users. The infection spread by Trochilus RAT is one that utilizes the PlugX malware to access information on upcoming elections in the area. The malware campaign's portfolio of threats, dubbed Group 27, has been part of an ongoing effort by the perpetrators spreading Trochilus RAT.
The source code for Trochilus RAT reveals that it is linked to a GitHub profile for a user named "5loyd." Part of the Group 27's malware portfolio, a number of other related malware threats have managed to conduct similar activities and may have been associated with 5loyd. The multiple versions of the RAT threat, with Trochilus RAT having different variations in itself, have used two different PlugX versions and several variants of other known RAT infections.
With Trochilus RAT being exposed by researchers and made public knowledge, the hackers behind Trochilus RAT ignored the fact and continued to target the same entities throughout Myanmar on their Union Election Commission (UEC) website. During the election season, October and November of 2015, Trochilus RAT was most active and was then ousted.
As the Group 27 perpetrators made efforts to hack the source code of Trochilus RAT, many speculate that the group wanted to utilize the clever actions of Trochilus RAT for themselves to conduct malicious activities. Among those activities researchers have seen the C++-coded threat have support for file manager modules, remote shell, support various communication protocols, and download, execute and upload files. The dangerous of such a tool in the wrong hands are nearly unfathomable, which is why such threats should be respected enough not to take them for granted, especially ones that evade detection.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.