Open Hunting - Threat Library

Openhunting Threat Library

Trochilus RAT

(Type: Reconnaissance, Backdoor, Info stealer, Downloader)

Despite that the RAT was designed to execute in the memory of the machine (thus evading detection by AV software), ASERT researchers obtained the RAT’s source code and connected it to a GitHub profile of a user named 5loyd. On the GitHub page, the RAT has been advertised as a fast and free Windows remote administration tool. Other details include: • Written in CC+; • Supports various communication protocols; • Has a file manager module, a remote shell, a non-UAC mode; • Able to uninstall itself; • Able to upload information from remote machines; • Able to download an execute files. Researchers believe that 5loys is not a part of Group 27. More likely, the user’s profile has been hijacked by the group and used for their own purposes.

[News Analysis] Trends:

Total Trend: 13

Trend Per Year

2015

2017

2019

2020

2021

2022

Trend Per Month

Aug 2015

Apr 2017

Nov 2017

Feb 2019

2020

Feb 2020

Jun 2020

Jan 2021

Apr 2022

Sep 2022

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

1/113

privilege escalation

1/96

defense evasion

0/184

credential access

0/63

discovery

0/44

lateral movement

0/22

collection

0/37

command and control

0/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.002 Scheduled Task/job : At	T1053.002 Scheduled Task/job : At	T1053.002 Scheduled Task/job : At

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Webworm: Espionage Attackers Testing and Using Older Modified RATs

2022-09-15 by Threat Hunter Team from Symantec

New Wave of Espionage Activity Targets Asian Governments

2022-09-13 by Threat Hunter Team from Symantec

Operation Gambling Puppet

2022-04-27 by Daniel Lunghi from Trendmicro

Cracking a Soft Cell is Harder Than You Think

2021-01-15 by Markus Neis from Swisscom

BRONZE VINEWOOD Targets Supply Chains

2020-06-24 by Counter Threat Unit ResearchTeam from

How to perform long term monitoring of careless threat actors

2020-06-03 by Daniel Lunghi from Trend Micro

Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations

2020-02-18 by Daniel Lunghi from Trend Micro

BRONZE VINEWOOD

2020 by SecureWorks from Secureworks

APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign

2019-02-06 by Insikt Group from Recorded Future

Trochilus

2017-11-03 by 5loyd from Github (5loyd)

RedLeaves - Malware Based on Open Source RAT

2017-04-03 by Shusei Tomonaga from JPCERT/CC

Operation Cloud Hopper: Technical Annex

2017-04 by PricewaterhouseCoopers from PricewaterhouseCoopers

Uncovering the Seven Pointed Dagger

2015-08 by ASERT Team from Arbor Networks

Basic Information (Credit @etda.or.th)

Tool: Trochilus RAT

Names: Trochilus RAT

Description: Despite that the RAT was designed to execute in the memory of the machine (thus evading detection by AV software), ASERT researchers obtained the RAT’s source code and connected it to a GitHub profile of a user named 5loyd. On the GitHub page, the RAT has been advertised as a fast and free Windows remote administration tool. Other details include: • Written in CC+; • Supports various communication protocols; • Has a file manager module, a remote shell, a non-UAC mode; • Able to uninstall itself; • Able to upload information from remote machines; • Able to download an execute files. Researchers believe that 5loys is not a part of Group 27. More likely, the user’s profile has been hijacked by the group and used for their own purposes.

Category: Malware

Type: Reconnaissance, Backdoor, Info stealer, Downloader

Information: https://sensorstechforum.com/trochilus-plugx-rats-in-targeted-attacks-on-governments/

Information: https://github.com/5loyd/trochilus/

Information: https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/

Information: https://github.com/m0n0ph1/malware-1/tree/master/Trochilus

Information: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:Trochilus

Last-card-change: 2020-05-14

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.	T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.	T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.