Trochilus

Trochilus is a remote access trojan (RAT) first identified in October 2015 when attackers used it to infect visitors of a Myanmar website. It was then used in a 2016 cyber-espionage campaign, dubbed "the Seven Pointed Dagger," managed by another group, "Group 27," who also uses the PlugX trojan. Trochilus is primarily spread via emails with a malicious .RAR attachment containing the malware. The trojan's functionality includes a shellcode extension, remote uninstall, a file manager, and the ability to download and execute, upload and execute, and access the system information. Once present on a system, Trochilus can move laterally in the network for better access. This trojan operates in memory only and does not write to the disk, helping it evade detection. 

Reporting

  • January 2016: Trochilus RAT targets government of Myanmar. (SC Magazine)
  • March 2017: Trochilus and New MoonWind RATs used in attack against Thai organizations. (Palo Alto Networks)

Technical Details

Arbor Networks provides technical details and IoCs for Trochilus and the Seven Pointed Dagger campaign, available here.