{ "id": "674f17f2-14f3-4a56-addf-090970159142", "created_at": "2026-04-06T00:06:32.11165Z", "updated_at": "2026-04-10T03:36:36.868173Z", "deleted_at": null, "sha1_hash": "3f43263d2b798587cc3f1e6658c85cfc7e750910", "title": "tRat: New modular RAT appears in multiple email campaigns | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 690751, "plain_text": "tRat: New modular RAT appears in multiple email campaigns |\r\nProofpoint US\r\nBy November 15, 2018 Proofpoint Staff\r\nPublished: 2018-11-15 · Archived: 2026-04-05 22:51:27 UTC\r\nOverview\r\nTA505 is one of the most prolific actors Proofpoint tracks. The group was responsible for hundreds of Dridex campaigns\r\nbeginning in 2014 and massive Locky campaigns in 2016 and 2017, many of which involved hundreds of millions of\r\nmalicious messages distributed worldwide. More recently, the group has been distributing a variety of remote access Trojans\r\n(RATs), among other information gathering, loading, and reconnaissance tools, including a previously undescribed malware\r\nwe have dubbed tRat. tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of\r\nthis year (one of them by TA505). In this blog we discuss the components of these campaigns and provide a brief analysis of\r\nthe malware.\r\nCampaigns\r\nOn September 27, 2018, Proofpoint detected an email campaign in which malicious Microsoft Word documents used macros\r\nto download a previously undocumented RAT. The documents abused the Norton brand, with the document names and\r\nembedded image suggesting that they were protected by a security product. Subject lines on the messages reinforced the\r\nsocial engineering, stating \"I have securely shared file(s) with you.\" Enabling the embedded macros installed tRat. This\r\nparticular campaign was spread by an unattributed actor, as was an apparently related campaign on September 29 that used a\r\nTripAdvisor lure (Figure 2).\r\nhttps://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns\r\nPage 1 of 5\n\nFigure 1: Lure document from campaign on September 27, 2018, using stolen branding and social engineering to trick\r\nrecipients into enabling malicious macros\r\nFigure 2: TripAdvisor lure used in a September 29, 2018, campaign, again using stolen branding and social engineering to\r\ntrick users into enabling macros\r\nOn October 11, we observed another email campaign distributing tRAT, this time by TA505. This campaign was more\r\nsophisticated, using both Microsoft Word and Microsoft Publisher files, and varying subject lines and senders. This\r\ncampaign appeared to target users at commercial banking institutions.\r\nIn this campaign, messages bearing malicious Microsoft Publisher documents purported to be from “Invoicing”, with\r\nvarious sending addresses. Example subject lines were \"Inovice (sic) [random digits] - [random digits]\" and had attachments\r\nwith names such as \"inv-399503-03948.pub\". Alternatively, the emails with malicious Microsoft Word attachments appeared\r\nto be be from “Vanessa Brito\" with various actual sending addresses. Attachments were named “Report.doc” in these\r\nmessages, with example subject lines such as \"Call Notification - [random digits] - [random digits]\r\nFigure 3 shows a sample email:\r\nhttps://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns\r\nPage 2 of 5\n\nFigure 3: Sample email from campaign on October 11, 2018\r\nIn all cases, the attachments contained macros that, when enabled, downloaded tRat.\r\nFigure 4: Sample lure document from October 11, 2018\r\nAnalysis\r\nWhile we continue to analyze this malware, we have established the functioning of a number of features. In the analyzed\r\nsample, tRat achieves persistence by copying the binary to:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Adobe\\Flash Player\\Services\\Frame Host\\fhost.exe\r\nhttps://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns\r\nPage 3 of 5\n\nNext, tRat creates a LNK file in the Startup directory that executes the binary on startup:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\bfhost.lnk\r\nMost of tRat’s important strings are stored encrypted and hex-encoded. A Python script is available [1] on our Github that\r\ncan be used to decrypt its strings.\r\ntRat uses TCP port 80 for command and control (C\u0026C) communications; data are encrypted and transmitted hex-encoded.\r\nTo generate the decryption key, tRat concatenates three strings and the result is uppercase hex-encoded. The strings from the\r\nanalyzed sample are shown below:\r\n1. \"Fx@%gJ_2oK\"\r\n2. \"AC8FFF33D07229BF84E7A429CADC33BFEAE7AC4A87AE33ACEAAC8192A68C55A6\"\r\n3. \"\u0026LmcF#7R2m\"\r\nIt is currently unclear whether these strings change from sample to sample. In addition to generating a key, tRat uses a 1536-\r\nbyte table in the decryption process. As of this writing, we were not able to ascertain the meaning of all elements of the table\r\nor determine if it changes. However, we were able to determine that decryption involves XORing various values from the\r\ntable with the encrypted data. The table indexes are based on the key value, derived as described above. The table [2] from\r\nthe analyzed sample and a Python script [3] is available on our Github that can be used to decrypt the communications.\r\ntRat’s initial phone-home network request is called \"AUTH_INF\". A decrypted example looks like:\r\nMfB5aV1dybxQNLfg:D29A79D6CD2F47389A66BB5F2891D64C8A87F05AE3E1C6C5CBA4A79AA5ECA29F8E8C8FFCA6A2892\r\nThis string contains two substrings separated by a \":\". The first substring is a hardcoded identifier stored as an encrypted\r\nstring. The second substring contains encrypted system data as shown below:\r\nFASHYEOHAL/nXAiDQWdGwORzt:3A176D130C266A4D\r\nThese data contain the computer name of the infected host, the system username and the tRat bot ID, although we have not\r\nyet determined how the bot ID is generated.\r\nIn response to the AUTH_INF phone-home, the C\u0026C will respond with \"[P]\" or a command list. If tRat receives \"[P],\" it\r\nsends \"[G]\" in reply. While this appears to operate like a command poll, the precise format of the command list, commands,\r\nand module data are unknown. Currently, we believe that the only supported command in the loader is \"MODULE,\" which\r\ncontains at least a module name and export name. To receive a module, tRat performs the following sequence of actions:\r\nSend \"[GET_MODULE]\"\r\nIf \"[WAIT_FOR_AUTH_INF]\" is received, send AUTH_INF data\r\nIf \"[WAIT_FOR_MODULE_NAME]\" is received, send module name\r\nThe response could be one of the following:\r\n\"[ERR_MODULE_NOT_FOUND]\"\r\n\"[ACCESS_DENIED]\"\r\nModule length\r\nIf module length is received, send a \"[READY]”\r\nReceive module\r\nThe module itself is encrypted similarly to the C\u0026C communications, but appears to use different keys that are sent\r\nwith the module\r\nOnce decrypted, the modules are loaded as a DLL and executed using the received export name\r\nCurrently we have not observed any modules delivered by a C\u0026C, so we are unsure of what functionality they might add.\r\nConclusion\r\nTA505, because of the volume, frequency, and sophistication of their campaigns, tends to move the needle on the email\r\nthreat landscape. It is not unusual for the group to test new malware and never return to distributing it as they have with\r\nhttps://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns\r\nPage 4 of 5\n\nBackNet, Cobalt Strike, Marap, Dreamsmasher, and even Bart during their ransomware campaigns. However, we observe\r\nthese new strains carefully as they have also adopted new malware like Locky or less widely distributed malware like\r\nFlawedAmmyy at scale following similar tests. Moreover, their adoption of RATs this year mirrors a broader shift towards\r\nloaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat\r\nactors.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\ncd0f52f5d56aa933e4c2129416233b52a391b5c6f372c079ed2c6eaca1b96b85 SHA256\r\ntRat sample hash,\r\nSeptember 27 campaign\r\ncdb8a02189a8739dbe5283f8bc4679bf28933adbe56bff6d050bad348932352b SHA256\r\ntRat sample hash, October\r\n11 campaign\r\n51.15.70[.]74 IP C\u0026C\r\nReferences\r\n[1] https://github.com/EmergingThreats/threatresearch/blob/master/tRat/decrypt_str.py\r\n[2] https://github.com/EmergingThreats/threatresearch/blob/master/tRat/table\r\n[3] https://github.com/EmergingThreats/threatresearch/blob/master/tRat/decrypt_comms.py\r\nSource: https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns\r\nhttps://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns" ], "report_names": [ "trat-new-modular-rat-appears-multiple-email-campaigns" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433992, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f43263d2b798587cc3f1e6658c85cfc7e750910.pdf", "text": "https://archive.orkl.eu/3f43263d2b798587cc3f1e6658c85cfc7e750910.txt", "img": "https://archive.orkl.eu/3f43263d2b798587cc3f1e6658c85cfc7e750910.jpg" } }