Threat actor TA505 is responsible for the latest email spam campaign that is spreading the tRAT malware. The claim has been made by security company Proofpoint. The malware is being spread via several email campaigns. Some of these use emails that appear to come from well-known companies such as Norton or TripAdvisor. Others pretend to be invoices, receipts, messages or even reports from companies.
All of the email attachments are either a Microsoft Word or Microsoft Publisher file. When the user clicks on the file it opens a window and asks the user to allow macros. Once enabled, the macros download the tRAT malware to the infected computer.
What does tRAT do?
The Proofpoint analysis highlights several of the tRAT features. Two of these are:
- Bot ID: Each machine is enrolled into a specific bot. At the moment, Proofpoint has not said how many different bot ID’s it has spotted. It is possible that each email campaign is creating its own botnet. Alternatively, botnets could be country, machine or operating system specific.
- Modular Malware: TA505 can send new modules down to the infected machines. This allows TA505 to sell access to different blocks of machines to launch different attacks.
The analysis also shows that Proofpoint has yet to fully understand tRAT. It admits that is doesn’t yet know how certain features work. It has also to determine what the full set of commands are or what other modules TA505 is planning.
Who is TA505?
TA505 is a threat actor that was first identified back in 2014. Since then it has participated in a number of cyber-attacks. These range from the distribution of banking malware to ransomware. It uses large spam email campaigns to distribute its malware. These are spread through the use of botnets such as Necurs.
Proofpoint has a detailed page that lists all the campaigns that TA505 has been involved in and the malware it has spread.
What does this mean
This is the second malware campaign that Proofpoint has attributed to TA505 in three months. In September it said that a TA505 was using a new modular downloader malware called Marap. This was aimed at countries such as Russia and Ukraine. These new downloaders also carry out surveillance on the targets. This allows TA505 to decide what malware would be most effective.
Proofpoint suggests that this latest set of email campaigns spreading tRAT are just tests. They will be monitoring the effective infection rate of the malware. If it is high enough, they may then drop a more complex payload. Given that Proofpoint admits it has more work to do in order to understand tRAT, this gives TA505 a small window in which to act before any effective detection solution is in place.
It is also worth noting that this announcement comes just a few days before Black Friday and Cyber Monday. Users are being bombarded with sales emails from retailers. It is reasonable to assume that a percentage of those are fake and contain malware. Users need to be aware of the risks and not open attachments in emails that they are not expecting.