Arbor Networks has identified a new Remote Access Trojan (RAT), dubbed Trochilus, that has proven to be basically invisible to anti-malware software and possibly used for espionage purposes.
Although still quite new in the wild, Arbor believes the malware comes from cybergang identified as Group 27 by Cisco's Talos Group, Arbor wrote in its ASERT (Arbor Security Engineering & Response Team) blog. Trochilus has the same basic capabilities of other RAT malware, the ability to place a backdoor into a system enabling a threat actor to enter the system with administrative control. It is delivered through a spearphishing attack.
“Trochilus appears to be somewhat rare so far, however it has been clustered with other malware used by Group 27 to include PlugX, the 9002 RAT (3102 variant), EvilGrab and others,” ASERT wrote, adding it can also move laterally inside a victim system in order to spread and increase its impact, the report stated.
The last item makes it particularly useful as a strategic asset to be used for espionage purposes, the report stated.
Arbor was able to latch onto Trochilus by examining seven sets of malware discovered on websites ranging from the Myanmar Union Election Commission to one belonging to a Taiwanese medical organization.