Trochilus RAT

By GoldSparrow in Remote Administration Tools

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 1
First Seen: January 13, 2016
Last Seen: March 28, 2020
OS(es) Affected: Windows

The Trochilus RAT is a threatening RAT (Remote Access Trojan) that may evade many anti-virus programs. The Trochilus RAT is currently being used as part of an extended threat campaign in South East Asia. The first appearance of the Trochilus RAT in this campaign, which has been active since August of 2015, was first detected in the summer of 2015. The Trochilus RAT is currently being used against civil society organizations and government computers in the South East Asia region, particularly in attacks directed towards the government of Myanmar.

The Trochilus RAT is being Used in a Campaign Against the Myanmar Government

Multiple unwanted components are being used as part of an extended campaign against the Myanmar government that has been going on since at least August of 2015. The group responsible for these attacks is identified as 'Group 27.' This group has been using tactics that involve using official Myanmar government Web pages to infect computer users that pass through these websites with PlugX, a threatening infection classified as a RAT. These attacks take advantage of the increased number of visitors they are getting because there will be elections in this nation soon. Computer users looking for information about the elections on these websites may be infected with the PlugX RAT, as well as with the Trochilus RAT, and other threats that have been linked to these attacks. Although this threat campaign was made public, it has continued, uninterrupted since its beginning in summer of 2015.

The Trochilus RAT and Its Involvement in These Attacks

After taking a deeper look at the group responsible for these attacks, PC security researchers have received reports of a new RAT, identified as the Trochilus RAT. The Trochilus RAT infection is unique because it had been undetected by anti-virus programs previously. The Trochilus RAT is part of the threats used by Group 27, which include, at least, six other types of threats. These threats are delivered together, in different combinations, depending on the intended target and the data that was meant to be collected.

The Trochilus RAT and the 'Seven Pointed Dagger'

The collection of threats used by Group 27 has been nicknamed the 'Seven Pointed Dagger' by PC security researchers. This collection of threats includes two versions of PlugX, two versions of the Trochilus RAT, the 3012 variant of the 9002 RAT, one version of the EvilGrab RAT, and one additional threat that has currently not been identified. Essentially, the purpose of this collection of threats is to obtain information from the affected computer and to control it remotely. The Trochilus RAT was first discovered between October and November and has been in use since then. The main infection vector that has been linked to these threats is the website of the Myanmar Union Election Commission or UEC. Computer users are advised to avoid this Web page until the Trochilus RAT, and other threats have been eradicated.

Con Artists can Acquire the Trochilus RAT Easily

The code of the Trochilus RAT is publicly available. The Trochilus RAT has reverse shell features. The Trochilus RAT is executed in memory, rather than creating a file on the victims' computer. This is essentially what makes it difficult to be detected by most anti-virus programs. Remote Administration Tools such as the Trochilus RAT do have some legitimate uses, but when installed by con artists also may be used for more nefarious purposes. A look into the Trochilus RAT's code reveals a Remote Administration Tool that is efficient and easy to use, designed to infect computers on the Windows operating system specifically.


Most Viewed