Proofpoint: Hackers testing new reconnaissance malware on financial institutions

Proofpoint suggests that tRat is part of a trend of malware becoming more modular in order to provide attackers with more value in the long haul.

Hackers appear to be testing a new strain of malicious software in phishing emails sent to commercial banks and other targets, researchers from the security vendor Proofpoint said in a report published Thursday.

The malware, dubbed tRat, employs modular capabilities, meaning it infiltrates a target for reconnaissance purposes and maintains the ability to download malicious payloads in the future. Proofpoint says tRat is being used by a group known as TA505, and another unidentified threat actor that used tRat as recently as October. Researchers say they haven’t observed the remote access trojan (RAT) being used to download any other malware to victims’ systems, so purpose of this campaign remains unclear.

“[W]e can only speculate on what the eventual capabilities of the RAT may be,” Chris Dawson, threat intelligence lead at Proofpoint, told CyberScoop in an email.

Proofpoint describes TA505 as a financially motivated threat group that has been involved in distributing well-known hacking tools like the Locky ransomware and the Dridex banking trojan.


Like other phishing campaigns, tRat makes malicious files appear legitimate, emblazoning them with company logos belonging to TripAdvisor or Symantec, for example. In the instances that Proofpoint linked to TA505, the attempts were more targeted. The campaign was aimed at commercial banking institutions with subject lines referencing fictitious invoices, reports or call notifications.

It’s possible TA505 is just testing the tRat tool. Proofpoint says it has observed the group using malware like Marap and other reconnaissance hacking tools for a brief period before abandoning them. However, in some cases, the group adopts other malware, like Locky or FlawedAmmyy, long-term after similar testing periods, Proofpoint says.

“While the size of this campaign suggests that it may be a test, TA505 remains a well-established financially motivated actor,” Dawson said.

Proofpoint suggested tRat is the latest in a trend of malware becoming more modular in order to provide attackers with more long-term value, and TA505 might be influential in that regard.

“TA505, because of the volume, frequency, and sophistication of their campaigns, tends to move the needle on the email threat landscape,” Proofpoint says. “Moreover, their adoption of RATs this year mirrors a broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors.”

Latest Podcasts