Click on screenshot to zoom
Danger level 6
Type: Malware


Remote access tools (RATs) are programs that enable remote access on an administrator level. tRat is one of the many Trojans that have RAT functionality. Once this kind of malware gains access to the targeted operating systems, it is able to transmit information to remote servers, as well as execute malicious commands. Needless to say, it is important to secure your operating system against remote access malware, as well as other kinds of infections, because they could cause detrimental security problems. In this report, we discuss how to remove tRat if it slithers in, and we also review this malicious threat to provide you with the knowledge that, hopefully, will help you prevent RATs from successfully attacking your Windows operating system in the future. Continue reading this report, and post all questions in the comments section. Our team of malware experts will address them as soon as possible.

According to our malware experts, tRat was created by a group that goes by the name TA505. This group is well-known in the malware world because it has been linked to Dridex and Locky attacks that were affecting users all around the world since 2014 and 2016, respectively. tRat has been around since late 2018, and it is now known that this infection relies heavily on spam/phishing emails for distribution. At least three unique scams have been uncovered, and all of them exploited the reputable names of well-known brands. Most prominently, the distributors exposed Windows users to the launcher of the Trojan using fake Microsoft Word and Microsoft Publisher files. If the target opened the misleading email message and then clicked the attached file, they were introduced to this message: “Document created in earlier version of Microsoft Office Word. To view this content, please click Enable Editing from the yellow bar and then click Enable Content.” If the target did as instructed, malicious macro was enabled, and the Trojan was downloaded silently. To trick people into executing the infection, the Trojan’s developers also created fake email messages that represented files, allegedly, secured by Norton and files, allegedly, sent by TripAdvisor.

Once executed, tRat does not stay dormant. Instead, it goes into action immediately, and the first task for this infection is to transmit information to a remote C&C server. According to our malware experts, the information that the infection records and sends silently may include the names of the computer and user, as well as a generated user ID. Once the information is analyzed, the attackers can use the same C&C server to send commands and download additional malware files. Unfortunately, this is where things get tricky. We cannot say what kinds of files could be downloaded by tRat, and the attackers are pretty much unpredictable. Needless to say, the Trojan could become extremely powerful if it gained functionality to drop and execute malware, record passwords, gather banking information, or perform other malicious actions. This is why it is crucial to delete the Trojan before it is executed or, better yet, prevent it from slithering in at all. Of course, if the Trojan has been executed, you need to focus on deleting it as soon as possible.

Since malware and malicious files potentially could be downloaded by tRat, it is important to inspect the operating system, even if you know for a fact that the Trojan exists. You need to know if there are any other threats that require attention and removal too. If you find additional threats, you need to figure out how to delete them along with the Trojan. That is easy to do using anti-malware software that is set to find and erase malicious threats automatically. The second reason to install this software is the complete protection it can enable to secure your system against RATs or other kinds of malware in the future. Without a doubt, we recommend implementing legitimate anti-malware software even if you choose to delete tRat manually, which you might be able to do using the instructions below. Please note that this guide was created when analyzing the RAT and not other threats. If the scanner unveils other infections, you will need to research and remove them separately. If you need help with that, post a comment below.

tRat Removal

  1. Simultaneously tap Win+E to access Explorer.
  2. Enter %APPDATA%\Adobe\Flash Player\Services\Frame Host\ into the field at the top.
  3. Right-click and Delete the file named fhost.exe.
  4. Enter the following paths into the field at the top to find and Delete the file named bfhost.lnk:
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  5. Empty Recycle Bin.
  6. Perform a full system scan using a reliable malware scanner to inspect for malware leftovers.
Download Spyware Removal Tool to Remove* tRat
  • Quick & tested solution for tRat removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.