SYMBOLCOMMON_NAMEaka. SYNONYMS

Group 27  (Back to overview)


Arbor’s ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the group’s activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors. Named Trochilus, this new RAT was part of Group 27’s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim. This collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.


Associated Families
win.9002

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda
2018-08-21Trend MicroJaromír Hořejší, Joseph C. Chen, Kawabata Kohei, Kenney Lu
@online{hoej:20180821:supply:d426e6b, author = {Jaromír Hořejší and Joseph C. Chen and Kawabata Kohei and Kenney Lu}, title = {{Supply Chain Attack Operation Red Signature Targets South Korean Organizations}}, date = {2018-08-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/}, language = {English}, urldate = {2020-01-06} } Supply Chain Attack Operation Red Signature Targets South Korean Organizations
9002 RAT
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-08-25ProofpointDarien Huss, Matthew Mesa
@online{huss:20170825:operation:87e2e2b, author = {Darien Huss and Matthew Mesa}, title = {{Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures}}, date = {2017-08-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures}, language = {English}, urldate = {2019-12-20} } Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures
9002 RAT
2017-03-30Palo Alto Networks Unit 42Jen Miller-Osborn, Josh Grunzweig
@online{millerosborn:20170330:trochilus:6c1c703, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations}}, date = {2017-03-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/}, language = {English}, urldate = {2019-12-10} } Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations
Group 27
2016-01-12Softpedia NewsCatalin Cimpanu
@online{cimpanu:20160112:trochilus:2b0bc1c, author = {Catalin Cimpanu}, title = {{Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia}}, date = {2016-01-12}, organization = {Softpedia News}, url = {https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml}, language = {English}, urldate = {2020-01-13} } Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia
Group 27
2015-09-23Palo Alto Networks Unit 42Robert Falcone, Jen Miller-Osborn
@online{falcone:20150923:chinese:4faf76a, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media
9002 RAT
2015-08Arbor NetworksASERT Team
@online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27
2013-11-10FireEyeSai Omkar Vashisht, Mike Scott, Thoufique Haq, Ned Moran
@online{vashisht:20131110:operation:d653a09, author = {Sai Omkar Vashisht and Mike Scott and Thoufique Haq and Ned Moran}, title = {{Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method}}, date = {2013-11-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html}, language = {English}, urldate = {2019-12-20} } Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method
9002 RAT
2013-09-17SymantecStephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar
@techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } Hidden Lynx – Professional Hackers for Hire
9002 RAT HiKit Aurora Panda
2013-05-20FireEyeNed Moran
@online{moran:20130520:ready:6a59df8, author = {Ned Moran}, title = {{Ready for Summer: The Sunshop Campaign}}, date = {2013-05-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html}, language = {English}, urldate = {2019-12-20} } Ready for Summer: The Sunshop Campaign
9002 RAT
2013-02-07FireEyeJ. Gomez, Thoufique Haq
@online{gomez:20130207:ladyboyle:5927b00, author = {J. Gomez and Thoufique Haq}, title = {{LadyBoyle Comes to Town with a New Exploit}}, date = {2013-02-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html}, language = {English}, urldate = {2019-12-20} } LadyBoyle Comes to Town with a New Exploit
9002 RAT
2012-09-07SymantecGavin O'Gorman, Geoff McDonald
@techreport{ogorman:20120907:elderwood:4247c36, author = {Gavin O'Gorman and Geoff McDonald}, title = {{The Elderwood Project}}, date = {2012-09-07}, institution = {Symantec}, url = {https://www.infopoint-security.de/medien/the-elderwood-project.pdf}, language = {English}, urldate = {2020-07-11} } The Elderwood Project
9002 RAT Beijing Group

Credits: MISP Project