A newly discovered remote access trojan nicknamed tRAT has apparently attracted the interest of TA505, a cybercriminal group known for launching prolific banking malware and ransomware attacks.

In a company blog post yesterday, researchers at Proofpoint reported observing  several phishing campaigns in September and October that attempted to infect victims with the malware. One of these attacks was linked to TA505, which is most frequently affiliated with Dridex and Locky malware operations.

The TA505 campaign, which Proofpoint uncovered on Oct. 11, largely targeted customers of commercial banks, attempting to infect them via emails with attached Microsoft Word and Publisher files. Some emailed claimed to be from an invoicing department, while others reported to be from an individual named Vanessa Brito. The attachments were typically disguised as invoices or reports.

The attackers would attempt to trick people into enabling malicious macros within the attached documents, thereby downloading the RAT. Proofpoint describes tRAT is a Python-based modular malware that communicates with its C2 server via TCP port 80 (typically used for HTTP). The campaign’s end game remains somewhat of a mystery, as researchers have not yet been able to specifically observe any of tRAT’s modular payloads or ascertain their functionality.

“TA505, because of the volume, frequency, and sophistication of their campaigns, tends to move the needle on the email threat landscape,” Proofpoint explained in the blog post. “It is not unusual for the group to test new malware and never return to distributing it… However, we observe these new strains carefully, as they have also adopted new malware like Locky or less widely distributed malware like FlawedAmmyy at scale following similar tests.”

The Proofpoint post also noted that the RAT campaign is in keeping with a “broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors.”

Prior to TA505’s operation, a less sophisticated tRAT campaign from a different actor was observed on Sept. 27. This scan also used Word documents with malicious macros, but in this case the emails impersonated Symantec’s Norton security brand, using subject lines like “I have securely shared file(s) with you.” A second wave of spam emails from the same actor on Sept. 29 reportedly used a TripAdvisor lure instead.