Trochilus RAT: Invading your Sandbox

Don’t you hate it when you invest a small fortune in the latest sandboxing technology to protect your network from sophisticated threats, only to find that those same threats are able to evade your shiny new sandbox? We feel you.

The recently discovered Trochilus RAT (Remote Access Trojan) is specifically engineered to evade detection by sandboxing and other more traditional signature-based malware detection techniques. Sandboxing is an advanced antimalware prevention technology that runs unknown or malicious files in a tightly controlled environment either locally or in the cloud, to observe any malicious behavior of the unknown code before allowing it to proceed to its intended target.

Many security vendors have invested heavily in sandbox technology as a cornerstone of their approach to preventing advanced threats in their customers’ networks. The ability of a threat like the Trochilus RAT to defeat even advanced technologies like sandboxing means that their customers can’t rely on prevention to keep threats out.

Impact on You

  • RATs are often the go-to tools for bad actors looking to compromise specific targets and steal data. They can perform a number of functions, including harvesting card payment data, code execution, collecting login credentials, and altering registry settings.
  • Trochilus, for example, has a file manager function and can remotely uninstall, download and execute, upload and execute and perform shellcode extension.
  • In addition to its detection-evading capabilities, the Trochilus RAT was designed to move laterally across a network to conduct espionage as part of a multi-part threat referred to as the “Seven Pointed Dagger” by the research team at Arbor Networks.
  • Although initially limited in scope to targeting governments and NGOs (Non-Governmental Organizations) in Asia, Trochilus may extend its reach into other regions and targets.
  • Once it’s installed in your network, a RAT like Trochilus can be a true ‘back door’ to your network, allowing the attacker to access confidential or regulated data. It can also give an attacker a beachhead from which to attack other systems on the network.
  • The only way to detect RATs that are designed to evade detection by preventive technologies (such as sandboxing) is through detection capabilities that can identify the behavior of the malware once it’s compromised a system.

How AlienVault Helps

The AlienVault approach focuses on detection, not prevention, because there is little an organization of any size or IT budget can do to prevent a dedicated, patient attacker from being able to penetrate its network.

The AlienVault Labs threat research team regularly updates the AlienVault Unified Security Management (USM) platform to detect the behavior of emerging threats like Trochilus on customers’ networks, and how to respond. The Labs team has already released IDS signature and correlation rule updates to the AlienVault Unified Security Management (USM) platform to detect Trochilus activity:

System Compromise, Malware RAT, Trochilus RAT

To Learn More

Current activity in AlienVault Open Threat Exchange (OTX), including related threats:https://otx.alienvault.com/pulse/56939fda67db8c057d6fbf5a/

Arbor Networks ASERT Report on the Seven Pointed Dagger: https://asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf

Kaspersky Labs Threatpost: https://threatpost.com/new-rat-trochilus-skilled-at-espionage-evading-detection/115857/

Leave a Reply