Uncovering the Seven Pointed Dagger
The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here.
Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often include malicious attachments designed to bypass typical detection controls. In other cases, spear phish directs users to websites that would otherwise be trusted but actually have been compromised by threat actors seeking greater access to fulfill their actions and objectives.
In late 2015, ASERT began investigations into a Strategic Web Compromise (aka “Watering Hole”) involving websites operated by the government of Myanmar and associated with recent elections. All indicators suggest that the compromises were performed by an actor group known to collaborators at Cisco’s Talos Group as “Group 27”. These initial findings – focused around the PlugX malware – were released by ASERT in a report called “Defending the White Elephant.” Analysis of PlugX malware configuration suggested that Special Economic Zones (SEZs) in Myanmar were of interest.
Following the trail of emergent threat activity, ASERT has discovered a new Remote Access Trojan (RAT) in use called the Trochilus RAT (pronounced “tro kil us”) that offers the usual array of RAT functionality and featured minimal or no detection from anti-malware software at the time of discovery. Trochilus appears to be somewhat rare so far, however it has been clustered with other malware used by Group 27 to include PlugX, the 9002 RAT (3102 variant), EvilGrab and others. A cluster of seven malware samples was discovered and has been named the “Seven Pointed Dagger” as a convenient reference. These seven packaged malware offer threat actors a variety of capabilities including the means to engage in espionage and the ability to move laterally within target networks in order to achieve more strategic access.
While activity involving Myanmar was the initial entryway into analysis of this threat campaign, additional analysis suggests that the campaign extends further. Therefore, other organizations should be well aware of the Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOCs) discussed in this report in order to more wisely and accurately detect and defend their critical assets from targeted compromise campaigns. In addition to Incident Response teams, threat researchers and threat intelligence analysts may also benefit from the insight, analysis and resources disclosed herein.
The following infographic depicts the process by which the information in this report was uncovered. It can serve as a useful reference and to maintain context while following the written trail in the rest of the full-length report.
Indicators of Compromise are provided in a distinct file for easier incorporation into threat detection and mitigation platforms. This can be found here.