A multi-stage attack campaign targeting Asian governments and (perhaps) non-governmental organisations has been uncovered.

The threat campaign involves a newly-discovered Remote Access Trojan (RAT) dubbed Trochilus by security researchers at Arbor Networks.

Trochilus (pronounced “tro kil us”) is part of a seven-piece malware cluster that offer hackers a variety of capabilities, including hacking deeper into compromised networks as well as snooping on confidential data.

The trail that led to the discovery of Trochilus began last year after Arbor Networks and other security research organisations discovered the PlugX and EvilGrab malware strains targeting government websites in Asia and most particularly Myanmar, as a blog post by Arbor (extract below).

Additional malware – including Trochilus – was subsequently discovered and removed from related sites in a continuation of the same campaign.

In late 2015, ASERT began investigations into a Strategic Web Compromise (aka “Watering Hole”) involving websites operated by the government of Myanmar and associated with recent elections. All indicators suggest that the compromises were performed by an actor group known to collaborators at Cisco’s Talos Group as “Group 27”. These initial findings – focused around the PlugX malware – suggested that Special Economic Zones (SEZs) in Myanmar were of interest. Following the trail of emergent threat activity, ASERT has discovered a new Remote Access Trojan (RAT) in use called the Trochilus RAT (pronounced “tro kil us”) that offers the usual array of RAT functionality and featured minimal or no detection from anti-malware software at the time of discovery. Trochilus appears to be somewhat rare so far, however it has been clustered with other malware used by Group 27 to include PlugX, the 9002 RAT (3102 variant), EvilGrab and others. A cluster of seven malware samples was discovered and has been named the “Seven Pointed Dagger” as a convenient reference. These seven packaged malware offer threat actors a variety of capabilities including the means to engage in espionage and the ability to move laterally within target networks in order to achieve more strategic access.

Arbor reckons Trochilus is being “driven by East Asian threat actors”, likely a reference to the Chinese government and military. North Korea also has (somewhat underrated) cyber-espionage capabilities but the range of targets in play is a better match for Chinese interests.

Myanmar was the patient zero of the malware analysis but follow-up work suggests a far greater range of targets, including NGOs, is also in the firing line. ®