DISCARDED: Tales From the Threat Research Trenches

TrustConnect RAT: Inside a Vibe-Coded Malware Ecosystem

Proofpoint Season 1 Episode 97

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 42:48

Send us fan mail!

Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Tommy Madjar, Senior Threat Researcher from Proofpoint, to unpack one of the strangest malware investigations of the year: TrustConnect RAT.

What started as a seemingly legitimate remote management tool quickly unraveled into a bizarre, fast-evolving ecosystem of “vibe-coded” malware. TrustConnect masqueraded as a polished RMM platform—complete with fake testimonials, inflated customer counts, and even an extended validation (EV) code-signing certificate to appear trustworthy. But beneath the surface? Sloppy AI-generated web panels, exposed administrative pages, and a backend that literally labeled infected machines as “victims.”

Tommy walks through how the team discovered the malware, why attackers are increasingly building their own fake RMM platforms instead of abusing legitimate ones, and how the use of EV certificates helped the malware evade detection across security tools. 

The conversation also dives into:

  • The explosion of legitimate RMM abuse in cybercrime


  • How AI-assisted “vibe coding” is lowering the barrier to entry for malware development


  • The surprising operational security failures that exposed both the malware author and their customers


  • Connections to past crimeware activity and possible ties to known actors


  • The rapid evolution of the “Connect” malware family, including newly spotted variants


  • How Proofpoint disrupted the operation by working with partners to revoke certificates and take down infrastructure


Along the way, the team explores a broader theme: what happens when threat actors move fast with AI—but don’t fully understand security fundamentals? 



Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

For more information about Proofpoint, check out our website.

 

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!




SPEAKER_00

You're listening to Discarded Tales from the Threat Research Trenches, a podcast by ProofPoint with security practitioners. Each episode you'll hear from security researchers, malware analysts, threat hunters, and more as we dive into what's going on in the world of cyber attacks and how defenders safeguard us from threats. Let's get into the show.

SPEAKER_02

Hello to all our cyber pals, and welcome to the Proofpoint Discarded Podcast. I'm your host, Selena Larson, here with my co-host, Tim Crumpart today. Very excited to have Tim. And I'm even more excited, sorry Tim, you have been usurped by Tommy Majar, longtime listeners of our podcast. Hopefully, know Tommy because we mention him all the time. He is one of our all-star cybercrime researchers here at Proofpoint. He is the king of finding weird stuff. And today we are going to talk to him about something called Trust Connect Rat. And a little note on recording. So we put out a blog on this research a couple of weeks ago, a week ago. And um, I was like, Tommy, you gotta come on and talk about your new blog. Well, Tommy said, Hey Selena, stuff has already changed since we put the blog out. And this will be published about a week after we're recording. So things might change from then too. So to just say this is the February 27th, as of February 27th. This is what we know about Trust Connect Rat and the ecosystem of the Connect Rat family. And I'm so, so, so excited.

SPEAKER_04

All right. Tommy, uh, why don't you tell us about yourself and uh how you ended up in my computer today?

SPEAKER_03

That's a good question. So uh yeah, I'm an senior stress researcher at uh ProofPoint, been with uh ProofPoint for four years now in the e-creme team, working with a lot of very cool people. So great place to work for working with all this fantastic stuff and all this data that we are able to look at and analyze and dig into.

SPEAKER_02

And one of the things that you have recently dug into was Trust Connect Rat. And I was really excited about this. So I think I had seen the campaign and I was like, wait a second, what is this? And I was kind of poking around a little bit on it, and then it just sort of snowballed into this giant like constellation of weirdness. It has everything, it has vibe coding, it has EV certs, it has a character of the cybercrime ecosystem. It has multiple different users. So Tommy, why don't you actually tell us about Trust Connector and how you stumbled across this interesting piece of malware?

SPEAKER_03

Yeah, so like over the let's say last year, the uh e-comm space has completely exploded with the use of uh RMMs that is uh abused legitimate applications that are normally used for uh remote management, uh customers, computers, and and business systems and so on. And since these applications normally are of legitimate use, it's not always the easiest to uh to find them in in all the other legitimate use software. So, like for example, if you would uh see something in in your data that says, okay, this uh customer who is uh receiving an email with a link to uh uh remote uh uh desktop software. It's basically impossible to say if okay, is this a legitimate or not just based on on them receiving this software? So because of that, we need to put in a lot of time to actually look at at these softwares, and we know that there is a lot of different kinds of software that is in this area uh that that we need to categorize to know what it is and to track the actors and know what's up and and what's going on. So basically it's it's a lot of of work just to just like with with normal malware to identify and see what we see in our data, how it's used by which actors, and so on. So it's basically a hunt for for new stuff that we see. And in this case, I was looking at the at the normal places where we would normally see these kinds of software, and it's almost every week we find a new abused RMN uh agent. So it's pretty normal to find uh find these kinds of things and and to send it over to detection engineering to uh decide worries and categorize and see okay, how can we detect it if it's a malicious use or not? So in this case, I I flagged it and said, Hey, I found something new here. Sent over it, sent it over to to our friends at detection engineering and to uh the other campaigners able to build a story around it. But at that time, it it was just a new RMM, it wasn't much more than you. Kim and Solina said, like, hey, uh this doesn't really look like the normal stuff, it's just a the domain is just a couple of weeks old. Then I was like, this is something else. So that's that's where we started, basically. And and it was pretty easy to uh to see when you once got in there that this wasn't the run-of-the-mill uh RMM.

SPEAKER_02

So let's talk about how it looked on the website. So it you know, it had the trust connect domain, and then when you visited the trust connect domain, it said a new RMM and it had all of these, you know, fake testimonials, it had fake, a whole fake website, a fake uh number of customers that use it, and it looked like a legitimate RMM. And yeah, and it popped up right at the top when you searched, you know, Trust Connect RMM. It went to that website, and so it looked like a piece of software that would be legitimately distributed as an RMM. So I'm curious, you know, you mentioned and we've talked about it on the podcast before, just the explosion of legitimate RMM abuse in our data. And we can even talk about this later in the podcast in terms of the payloads that are delivered alongside Trust Connect are often other RMMs. But I'm curious, why would a threat actor create a malware that poses as an RMM?

SPEAKER_03

Yeah, that is a good question, actually. Uh and I have asked myself that uh too, like, okay, but because we you know we see these actors all the time that actually subscribes to the cloud RMMs and they get get a legitimate file, a sign file by uh a real company, uh, and there is basically no way to distinguish it from uh from the non-abused sessions. So why would they do this? Well, one one reason is that uh a lot of companies have probably uh started to see this explosion of these known RMMs. So they follow these uh different uh repositories, for example, uh LOL RMM um which list lists all these abused uh RMM software. So you you need to know what to look for to block these kinds of applications. Uh and if there is like okay, yeah, I I want to allow someone to download this software or this software, the organizations can control that, and and it's like the installer itself usually says that this uh uh software is uh is used for remote management, and actually more um software like this are actually putting that like a pop-up that you like. If you install it, it says that this computer is going to be remote controlled. So what they need to do is is they need to avoid that fingerprint, which they can do in this case with a completely new software, uh, which will take some time to uh to be categorized as an RMM or even malicious. And then they use these uh uh softwares, including CrossConnect, to install second stage RMMs, maybe one, maybe several, uh, which make it even harder than to actually uh make sure that that your uh computer system is clean. So it's it's like yeah, they they are building up. So in this case, when they can control their own RMM, if people think it's legitimate and they don't need to put out uh this uh uh installer that says that hey, it's it's a remote control. If they can may get that to work, then it's much much easier for them to uh to get it to install. And with the certificates that they use to sign the software, they also don't get all these additional pop-ups when when uh uh targets downloads uh and uh open the files because it's assigned trusted software, so you don't get any warning of any kind.

SPEAKER_02

So, yeah, so so we'll definitely get to the signed software piece because that was very interesting. But real quick, there was actually a submission to the low RMM GitHub of Trust Connect RMM as a new RMM, right? So it was actually convincing people that it was a real RMM.

SPEAKER_03

Yeah, yeah, absolutely. And I mean, if you wouldn't have looked at the uh registration date of the domain, even that because they're actually new, new legitimate RMMs popping up every day. Because, you know, hey, why wouldn't uh real threat actors vibe code RMMs too? Because it's uh lucrative business to you know have these kinds of uh of uh software, you know, it's just something that businesses pay for. But the thing is that when I started to look at it and I tried, okay, it says free trial. Let's try free trial. I mean it's it's it's there, it's uh in front of my eyes. I used a disposable email account and made an account and was welcomed to a screen uh that said that my account was disabled and I needed to pay with Bitcoin to get access to to this RMM. And that was like, uh no, I don't think that uh legitimate software of this kind only would take payment in in crypto. So yeah, that's where the real investigation started.

SPEAKER_04

So advanced fee fraud of hey, if you want to use this free trial, you need to pay us$300.

SPEAKER_03

Yeah, exactly. So but it's it's likely some again. Uh in this case, uh the the landing page was used as a uh font for the actually registered company, or actually one of three or four registered South African companies to uh get their cert authority to release a um certificate, code signing certificate uh for them. So in this case it had to look good because they are according to to the rules they have to the the uh cert authority have to buy obey to is that they need to for EV. It's uh extended validation. So they are supposed to look at it that yeah, this is really elegant software, a really intimate company.

SPEAKER_04

You want to talk about the campaigns that led to the uh to Trust Connect? And is it one actor that's doing this? It kind of sounds like there might be more involved.

SPEAKER_03

Yeah. So there was a lot of uh different actors. When we started digging into this, it uh we came across across at least, you know, maybe five completely different clusters in just the first week. So it was uh everything from you know business proposals to invites to Tesla shows, it was uh the uh theme of the season, uh taxes, uh Iris. Uh it was basically everything uh you you could imagine. And on top of that, the uh actually traditional RMM uh basic uh thing that started this all and it that it's party invites. For some reason, it's super popular in these clusters to you know invite to various types of parties of different kinds. And obviously, people want to go to parties too, they will install anything to get their party in white.

SPEAKER_02

I think it's so crazy that the party invitations are such a common lure, like yeah everywhere by all of these RMM actors, and as well as Trust Connect. And I'm just like, I never get party invitations.

SPEAKER_01

If I got a party invitation, I would be highly skeptical of the party invitation.

SPEAKER_04

Well, you'd also be happy about getting either a real party invite or malware invites.

SPEAKER_01

Yeah, yeah, I know.

SPEAKER_04

Either way, you'd be happy, right?

SPEAKER_01

Like, wait a second, this isn't real.

SPEAKER_03

And then, of course, we have the social uh security administration, uh, which always is popular, and that is a uh classic case where where these clusters are using different invites that leads to uh a SSA.exe file anyway, despite the delur being something completely else, or like the Lur being about taxes and the file download is party.exe. It's it's one of these classic cases where they just mix and match everything just to get someone to click. And then of course, we also have the ATO jumpers, uh account takeover clusters that uh uh uses uh this uh uh software to get a foothold inside a company and then use the account that they get access to to you know just uh basically like a worm, uh compromise the next company and send the same invites to everyone else, you know, just like you see in in the different different uh normal phishing campaigns.

SPEAKER_04

So, Tommy, we have malware that's masquerading as legitimate RMM software, and then we've got software being advertised as stuff for different lures for social security administration. Is this are they doing any sort of obfuscation with this malware, or they do they want it to look like a legit RMM when it's being installed, or what what are they doing?

SPEAKER_03

Yes, yeah, so it's it's a couple of uh different ways they are are doing this. So it's in this case, in in the first case with not correct, uh we discovered that they actually from this uh uh panel uh that uh they got access to when the when the uh criminals uh subscribed to it was able to download software that was uh using metadata from real products like Microsoft Teams, uh Zoom, and uh and other uh companies and uh software and systems and and you know invites and so on. So the file contained the metadata of the legend application and was signed. So it's it's not really obvious in that way. And it's also the same way that when you download and executed it, uh it was really not trying to hide anything. It it's like at least for the first versions, it was extremely uh simple to uh to look at uh what it actually was doing. It was very clear that it was doing what a lot of RMMs would do, but also uh rats. Uh so uh so it's like yeah and even in the newer versions, they uh even have the possibility in the panel uh to uh that you enter your own metadata, maybe because of of uh of our dog, you know. We mentioned that okay, they can use these different types of names and themes. So in in the next version, uh they simply let uh the criminals select their own names. So they can just type in and select what they want their executable to be to be named and what metadata they want they have, and then it's built on request uh from the panel, and they get a signed file with the the uh metadata of the executable acceptable they want.

SPEAKER_02

So previously the criminal would log in and be able to say, you know, I'm looking for you know Microsoft Teams, party invite, social security administration, Zoom meeting, and they would have this sort of pre-built executable name, and they were able to sort of select from these different options provided by the malware. And now they can just be like, well, I want to name it. I don't know. What would be a good name for executable grocerylist.exe.

SPEAKER_03

Yeah, yeah, but I mean they they can still name it uh in uh uh like uh MST MSTMs.dxe if they want. And I think that's actually one of the reasons because you know, one of the reasons that we uh we got help uh from the search graveyard uh to contact the uh emitter of the original uh EV certificates was that we were able to prove and say that hey, these files are signed like Microsoft applications, Zoom applications or Adobe applications, but it's obviously not that kind of file. So in this case, if they are removing the traces of it being malicious, uh so the next version will look even more like uh business software even after logging in, even though they still in the last versions do require payment in in the uh cryptocurrencies and I've raised the price to five hundred dollars instead of uh three hundred dollars. You know, yeah, they they are they are trying to go away from the stuff that we found. So, for example, in the original panel, uh in the end, when we were able to, you know, because vibe-coded security isn't always the best, uh we were able to extract very much information from the panel, and it's like it's you know, it's not even it's not you know, we not even hacking. It's like, okay, here, here you can have everything I have in my database, you can have everything, just just look here. So it's it's you know, it's uh nice of them. Especially, especially the first version, it was like you could just look, you could see that if you went to a page, it's quickly reloaded and went back to the login page. So you could just basically disable JavaScript and go to the page that you want to do, and you could see it, because it's it was all already there. The only protection was that it was checking is on client side is user uh administrator or not, and just redirect away from the page. So it even said, like in the pure source code, if you would go to the login page and look at it, it would say that if you are a super administrator, redirect to this page, and then you could do the same there. You could just go to the super administrator page, disable JavaScript, and you would see it. And and the most fantastic thing here is that this is uh RMM with victims. Have you ever heard of an RMM or any kind of of business software that calls the client victims? I don't know, it's it's like uh it's kind of absurd to go through all that and then just you know, g give away that that's okay, this is this is super malicious.

SPEAKER_02

Yeah, well, so I thought that part was really funny because of course, as we all know, everything is vibe coding. Like people are using it for you know, building websites, building tools. And it's in many cases, it's you know, people don't really know what they're doing. And in this case, he had these glaring security issues where he vibe coded this website, or he they person the person behind this. I shouldn't, we don't know who it is, so I shouldn't gender them. But I the person behind this made this website and did it so badly that Tommy was able to just disable JavaScript on the website and go to the pages that the threat actor would see, like have mock uh victims that it was literally called victims, being able to see the little um notifications at the top too, right? Like the little, like what like what you would see as the user and the name. Uh exactly. You know, contact Zachy for, you know, Zachy09, I think, for uh support. And I want to get to uh him them in a minute, but I did kind of want to think about like the vibe coding piece. And you know, before we actually got on this call, you also mentioned that the malware might be written fully with AI. And I'm kind of curious, you know, do you have any thoughts as to? The ridiculousness of the vibe coded website and panel that the malware was using. And like now that you have observed additional artifacts that suggest AI support or like almost entirely AI developed, like, what does this tell you about the threat actor?

SPEAKER_03

Yeah. So I mean, it's again, it's it's the same as the rest of the site or or whatever. You can just come up with an idea and tell your AI agent or whatever web site creator you have or whatnot, and just say, hey, hey, I have this idea. Do the application. Uh so for example, like like last year, we had a blog out and and spoke a lot about Lullable, uh, which uh was this web app creator website that would create and uh host an entire website and would give you full functionality with yeah, I mean it's it's a good thing. Fantastic thing is it's used right uh this kind of software, but on the other high hand, they had the same kind of issues there too, where people wouldn't know if because they weren't used to coding where to put your data. So at least in the start, there was you know AKI keys for uh for chat GPT and everything floating all over the place because simply uh because people weren't asking the software to make it secure. They weren't asking the AI agent to make the software secure because you know asking that question uh costs money. So it's not like and it's the same, like okay, if if the uh the company that that runs the website, the service that offers coding, or it's the same for for you know uh these uh models you can download and run on your computer. It's like you you want to save tokens. You don't want to do more than you actually need because it's it costs money. So because of that, a lot of this stuff are modular and and it doesn't do more than than uh what you want. It it doesn't question you on security if you haven't uh told it specifically to do so, within this case is uh extremely clear that they didn't. Uh so so I mean it's it it depends on on which service and which uh uh what thing you use to actually if it's secure or not.

SPEAKER_02

Mm-hmm. Mm-hmm. So do you think then that the threat actor was just lazy or they just didn't want to spend the tokens, or maybe they didn't realize?

SPEAKER_03

Yeah, I would guess, wouldn't realize. It's like yeah, I mean it's it's looking at it, it it went so extremely fast from you know the uh the first uh uh website creation date to uh the first version to the next version to Doc Connect that we included in the blog to to last week. Uh we had hard connect, we had soft connect, we had Axis Software Agent, we had whatnot. Um and it's it's pretty clear that it takes he or or she, uh they uh take their code base or their prompts, and then they just move to the next site or the next model or the next form to ask the same question, or you know, say, okay, re rebuild this software as something else. And and the same thing goes there. If you take it and the next model, even if it will just take, okay, I should rebuild this thing as doc connect instead, which is a document delivery software with a built-in RMM, because who wouldn't want that? But you just leave it just as insecure, but you didn't ask me to increase the security.

SPEAKER_02

Exactly. Yeah, so yeah, I guess he's just the person is just you know replicating things over and over again, but not taking any concern about security at all whatsoever. Which is funny because I think that people are doing that in their own workflows, even non, you know, even non-threat actors, people are, you know, implementing things without really thinking about the security of the agentic tools that they're using, whether it's Claudbot and deleting a bunch of emails or or you know, uh the sort of poisoning of some of these agentic solutions, or you know, building the claudbot thing and exposing API keys there too. So I, you know, I think that this is something that we're seeing across the landscape, whether you're, you know, red team or blue team or the bad guys, you have these issues where you're like, oh, I'm and I think part of it comes to experience too, right? Because web development is a different thing than malware development. And it's a different skill set. And if you're not a web developer, you don't even know how you should, you know, restrict different web pages or have security built into your website. If you're a malware developer, that's kind of what you focus on. And so maybe, you know, you you know malware and you can, you know, be pretty good at developing that, but then your the actual like web design in AppSec might not be as good.

SPEAKER_03

I don't think like I I'm pretty certain from the basic Googling I've made of the handle that is mentioned on this website, that this person actually were doing this kind of you know, party invites and so on previously. And probably thought that, hey, these companies can actually make a lot of money from these subscriptions to these software. Why shouldn't I just create my own? And I mean, it's like, yeah, um, why not? Why I I don't know while I'm doing the why did you have to mention client system as victims? I don't know, but yeah.

SPEAKER_04

So they might not have had much thought behind some of their security practices, but one of the things it did do was try to bypass detections, was register an extended validation certificate, also known as EV cert. You want to talk about that process? Why they might have done that?

SPEAKER_03

Yeah, so so again, we spoke a little bit of this earlier, but in this case, they did uh register a South African company, and they did have the website, and then they uh contact uh the seller of these uh certificates uh and then they say that hey, I want uh extended validation certificate. And then the the company that provides these services are supposed to check a lot on this company that wants to buy this certificate, uh and then they can use it to sign the software. And again, this code sign practice makes it uh less obvious that something bad is running. You you don't get your warnings, yeah. So so that's why they do it and how they do it. It's uh in this case, it's a bit questionable if the ev certificate would have should have been released from the first place because it's you know if you if you look at the address of the company uh on Google Maps, you will see that this is not the best neighborhood in the uh in the town. You know, uh it's probably not the place for for for a uh company called uh trust, uh correct. So so I mean it's it was pretty obvious to me that okay, this is this is completely made up, and you know, South African companies have have the registration number as number based on the year. And since we're at the start of uh of the year, we could see that okay, this company was actually just re registered a couple of weeks ago too. Uh so it's it's you know was it right or not, I I don't know. Uh but uh yeah, we got help to to revoke this certificate. In this case, it uh made that they weren't able to sign more software, but they didn't proactively revoke the certificate, which made that old files were still usable and they were continuing to use Indobes uh for uh for some time. But I had some great news. Uh the uh revocation uh was backdated last night. Uh on the other hand, they have stopped using that entirely now, so I don't know exactly how uh how usable that information is. Uh and also from uh from last week or or two weeks ago they started to using first level certificates on Microsoft instead. Uh and these uh certificates are valid for three days, but it doesn't matter because it's uh since the software is built in the panel and it will probably not be they will probably not use them campaigns for more than three days. So it doesn't matter. In the same way here, it doesn't matter if it expires, it will still continue to run on the computers if it's installed. So you know it's uh uh yeah.

SPEAKER_02

So I think it's important to sort of highlight the use of the EV certificates because basically it's a way to say to a computer, hey, I'm legitimate, I am authentic, I have an extra layer of security, and I'm telling the computer that, you know, you can trust me. And I think that, you know, it's it's interesting. And then if you look in the sort of open source databases for Trust Connect, it was all not detected. It was all like scanning as clean. And um, like Tommy, I think you mentioned internally that for a few days at least, the emerging threat signatures for this malware was really the only thing that was detecting it as malicious because you know, we'd seen the domains, we'd seen all that information, we created signatures for it, said yes, this is actually malware. Whereas some of the open source databases were it was still clean scans. Um, and is that partially because of these certificates having this additional layer of security telling these systems like, I'm good, it's okay.

SPEAKER_03

Absolutely. It's uh it's definitely like this. So, for example, for for compared with the Microsoft certificates that you cut now that wasn't of the EV type, uh, they did get much higher scoring uh on these uh sites over uh the original one, which again, uh you know, even after our blog was released, uh these files were were uh seen as clean by a lot of of uh different uh antivirus engines and uh memory scans. Uh just because again uh the ED certificate and that it wasn't revoked back in time, which meant that okay, this side this software was legitimate when it was assigned, so therefore it's still legitimate, except even though uh the certificate has been revoked. So it's like in this case, it's it would be like okay, the private certificate was leaked. That would mean that okay, we know that the date where it was leaked, we know that everything before the leak, the software is safe, but the day after it's not safe any longer. In this case, it would be it uh it will say that okay, the uh old signed software was still completely legitimate via EV center bits that have a very high fast value.

SPEAKER_04

So uh are these domains still around here, Tommy? Were you guys able to take these all down or or what what happened with that?

SPEAKER_03

Yes, so for the first version of uh Software Connect, we were able to work together with partners to get it offline uh and get uh uh disruptive action. Uh it's great. It's just like uh working together with uh uh search graveyard to be able to revoke the certificate in an effective way. It's always great to work together with uh industry partners to actually disrupt actors and uh uh and to uh uh yeah, for example, just you know, the the cost of the EV certificate to setting up three different companies, you know, all this work to make this plan work, and we're able to to to together with these partners to disrupt and impose costs. I think that's uh really important and uh and a good use of of time to uh to make sure to disrupt. And also it's like for the criminals that buy this software, you know, knowing that the software that they have purchased really aren't that secure. It was easy to see, see from the data that we saw that it was a long tie from the uh payment, uh the crypto payment to an email address, company ID to a company name, uh which made it very easy, you know, to see and track how many customers there were in the database, and there were a lot. Uh so you know it's it's obvious. And then also from the uh payment to the crypto wallets, he certainly got a lot of, or they got uh suddenly a lot of customers in their uh service.

SPEAKER_02

Oh well, and I think this is so funny because going back to the horrible vibe coding, not only did it expose the threat actors' website and their lack of security, but then it had all these follow-on repercussions for the customers of the actual malware because you know they're using a panel that's insecure. And so then they have to, you know, have to have those consequences to follow as well. So it's kind of funny, you know, like the the sort of chain reaction of bad vibe coding leading to exposing probably more than the criminals would uh want to be exposed. But on that note, Tommy, you know, I think this is really interesting because as you mentioned, we saw the name of the person who was supposed to be contacted for support. There's a telegram channel. The name was Zaki 09, and the full actual spelling of that is in our blog. You can check it out. We'll put a link to it in the show notes if you're curious. But Tommy, who do you think is behind Trust Connect and were there relationships to other malware?

SPEAKER_03

Yeah, so so what's uh fun, you know, is it's again despite AI, you can actually uh Google stuff uh and you can um uh Google this handle, uh that uh the Telegram handle, and then you would actually end up with a few different hits you would see would be uh a couple of uh old tweets and uh and um some uh Russian uh crimeware forums that mentions that a bunch of different uh telegram handles were uh mentioned in the takedown of uh redline uh in the Operation Magnus uh operation. Uh so we did of course uh look that up, and it's indeed used in the as an example of a VIP customer in the uh video that uh the law enforcement operation put up. Uh so it was really easy, you know, to to to track this down to see that okay, this is obviously someone that isn't completely new in the game with uh malware.

SPEAKER_04

So they saw red line are like, huh, I could vibe code something similar. Absolutely.

SPEAKER_02

Tommy, you mentioned that they have a new version, and of course they have all of these other connect family of malware, which just for context, we are tracking at under the Trust Connect umbrella because they all all have you know some similar functionality. But what's new in the new versions?

SPEAKER_03

Yeah, no, the new thing is uh in the latest versions that that we see now is that again, since the paddle slick so much, we can actually see in the uh in the information, public information, that they are building the executable on demand and signing it uh with a certificate. So that was, you know, since we didn't have exact access to the actual back end, it wasn't clear in in the trust connector version. In the new versions, it's it's very clear that it's actually built on uh on request. And again, they are trying with different versions of the remote access and the functionality, but it's still the same kind of you know, vibe-coded uh websites that have you know this you're recognized by the colors, by the forms, by no you just feel that okay, this is uh when you looked at enough of them, you can feel that okay, it's just uh you're prompt in uh in uh in some LM. And they continue in the same way. Uh so it's it's basically just the all this is new again, and then uh you know, so but again, it's uh it's pretty funny that they leak different kinds of information depending on which type of website it is. So, for example, in the docconnect one, it was easy to see that that it says that they allow the the uh customer of the platform to upload a PDF and include a Celer. EGRM. So now it's it's interesting to see that the you know it's complete different stuff. You you get a complete picture that's okay. This is what's obviously in the old version too.

SPEAKER_02

So they're badly vibe-coded, but in different ways.

SPEAKER_03

So exactly.

SPEAKER_02

So each mistake on each website shows a little bit more of the complete picture, and you can kind of put that all together to complete the puzzle. That's so funny.

SPEAKER_03

Absolutely.

SPEAKER_02

Oh dear, oh my. All right, well, Tommy, that's all we had for you today. Tim, was there anything else you wanted to ask Tommy while he's here?

SPEAKER_04

No, just uh just really glad for all the hard work you're doing. This is uh this is great stuff, Tom.

SPEAKER_02

Yeah, it's super fun. And also it's worth highlighting that we are constantly putting new detections in our pipeline, in the sandbox, in emerging threats for the Trust Connect family, our ecosystem, the constellation of badly vibe coded remote access trojans. And so we do whenever we find something new, we of course create detections for it. So I do want to give a shout out as well to Isaac Shaughnessy, uh, Jeremy also on the sandbox team. They've done a lot of work for this. Uh, Isaac, of course, has joined us on the podcast before, um, talking about other fun info stealer malware that he has found. So, shout out to those guys who are also on top of all of this and honestly, quite frankly, have to deal with Tommy finding the most random things every day.

SPEAKER_03

Yeah, no, we we wouldn't be anything without the uh the superiors that both uh make us be able to detonate these things in sandboxes and uh and see what they do easily and and uh write these amazing detection uh rules for the details detection engines. Uh so you know it's uh super awesome to have them on the team.

SPEAKER_02

Yes, we love it. We are one big happy family, one big collaborative engine. And Tommy, thanks so much. I'm so happy you were finally able to come on. We reference your work all the time. And I have to say, I think I probably collaborate with you most on blogs. What do you think? Is that is that probably accurate?

SPEAKER_03

Yeah, I would uh I would think so. It's hey Selena, what do you think about this? Where you say, Hey, Tommy, what to release something about this? It's like, yeah, sure, let's do it.

SPEAKER_02

Let's do it. Exactly. You find so much fun stuff that we can then put out into the world. And yeah, so it's great. Tim too. Tim, we've done we've worked on some blogs too, actually. So I know you have some coming up as well.

SPEAKER_04

Yes, indeed.

SPEAKER_02

Yeah, awesome. Well, thank you so much uh for joining us, Tommy. Tim, thank you as always for being a wonderful co-host, and thank you to our listeners for tuning in. Of course, if you are interested in diving much, much, much deeper. I think it was like 23 pages worth of content that we put out in the blog. Uh, we will, of course, include a link to this in the show notes. And to all of our listeners, as always, until next time, happy hunting.

SPEAKER_00

You've been listening to Discarded Tales from the Threat Research Trenches, a podcast by Proof Point. Never miss an episode by subscribing to the show in your favorite podcast player. Happy hunting.