Group 27  (Back to overview)

Arbor’s ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the group’s activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors. Named Trochilus, this new RAT was part of Group 27’s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim. This collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.

---

Associated Families

---

References

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell EMISSARY PANDA

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda

2018-08-21 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C. Chen, Kawabata Kohei, Kenney Lu @online{hoej:20180821:supply:d426e6b, author = {Jaromír Hořejší and Joseph C. Chen and Kawabata Kohei and Kenney Lu}, title = {{Supply Chain Attack Operation Red Signature Targets South Korean Organizations}}, date = {2018-08-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/}, language = {English}, urldate = {2020-01-06} } Supply Chain Attack Operation Red Signature Targets South Korean Organizations 9002 RAT

2018-03 ⋅ CrySyS Lab ⋅ Boldizsar Bencsath @techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape 9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos

2017-08-25 ⋅ Proofpoint ⋅ Darien Huss, Matthew Mesa @online{huss:20170825:operation:87e2e2b, author = {Darien Huss and Matthew Mesa}, title = {{Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures}}, date = {2017-08-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures}, language = {English}, urldate = {2019-12-20} } Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures 9002 RAT

2017-03-30 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Josh Grunzweig @online{millerosborn:20170330:trochilus:6c1c703, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations}}, date = {2017-03-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/}, language = {English}, urldate = {2019-12-10} } Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations Group 27

2016-01-12 ⋅ Softpedia News ⋅ Catalin Cimpanu @online{cimpanu:20160112:trochilus:2b0bc1c, author = {Catalin Cimpanu}, title = {{Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia}}, date = {2016-01-12}, organization = {Softpedia News}, url = {https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml}, language = {English}, urldate = {2020-01-13} } Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia Group 27

2015-09-23 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Jen Miller-Osborn @online{falcone:20150923:chinese:4faf76a, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media 9002 RAT

2015-08 ⋅ Arbor Networks ⋅ ASERT Team @online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger 9002 RAT EvilGrab PlugX Trochilus RAT Group 27

2013-11-10 ⋅ FireEye ⋅ Sai Omkar Vashisht, Mike Scott, Thoufique Haq, Ned Moran @online{vashisht:20131110:operation:d653a09, author = {Sai Omkar Vashisht and Mike Scott and Thoufique Haq and Ned Moran}, title = {{Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method}}, date = {2013-11-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html}, language = {English}, urldate = {2019-12-20} } Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method 9002 RAT

2013-09-17 ⋅ Symantec ⋅ Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar @techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } Hidden Lynx – Professional Hackers for Hire 9002 RAT HiKit Aurora Panda

2013-05-20 ⋅ FireEye ⋅ Ned Moran @online{moran:20130520:ready:6a59df8, author = {Ned Moran}, title = {{Ready for Summer: The Sunshop Campaign}}, date = {2013-05-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html}, language = {English}, urldate = {2019-12-20} } Ready for Summer: The Sunshop Campaign 9002 RAT

2013-02-07 ⋅ FireEye ⋅ J. Gomez, Thoufique Haq @online{gomez:20130207:ladyboyle:5927b00, author = {J. Gomez and Thoufique Haq}, title = {{LadyBoyle Comes to Town with a New Exploit}}, date = {2013-02-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html}, language = {English}, urldate = {2019-12-20} } LadyBoyle Comes to Town with a New Exploit 9002 RAT

2012-09-07 ⋅ Symantec ⋅ Gavin O'Gorman, Geoff McDonald @techreport{ogorman:20120907:elderwood:4247c36, author = {Gavin O'Gorman and Geoff McDonald}, title = {{The Elderwood Project}}, date = {2012-09-07}, institution = {Symantec}, url = {https://www.infopoint-security.de/medien/the-elderwood-project.pdf}, language = {English}, urldate = {2020-07-11} } The Elderwood Project 9002 RAT Beijing Group

---

Credits: MISP Project