Webworm hackers modified old RAT malware to evade attribution

New cyber espionage attacks from Webworm hacker group use modified RATs

Old RATs used in new campaignsModified malware pieces experimented with in campaigns targeting governments, IT entities

The known threat actor group tracked as Webworm has been linked to bespoke Windows-based remote access trojans. These new attacks using the advanced and modified RATs[1] now seem to be in the pre-deploying or testing phase. The Chinese Webworm hacking group experiments with customizing their old RAT malware pieces in these recent attacks.[2] These modifications should help evade attribution and reduce operations costs.

The cyberespionage cluster has been active since at least 2017, when it was linked to various attacks on IT firms, aerospace, and electric power providers. The particular targets of these attackers seem to remain in Russia, Georgia, and Mongolia.

Webworm’s use of customized versions of older, and in some cases open-source, malware, as well as code overlaps with the group known as Space Pirates, suggest that they may be the same threat group.

Reports[3] on these attacks show that threat actors are testing their pieces of malware. Remote access trojans get released targeting IT service providers in Asia too. It is likely that this is the part of testing to determine the effectiveness of these RATs: Trochilus RAT, Gh0st RAT, 9002 RAT.

RATs associated with Chinese threat actors

Security researchers note that three backdoor malware pieces are mainly linked with Chinese attackers known as APT10 or Stone Panda; APT17 or Aurora Panda, APT27 or Emissary Panda, and Judgement Panda – APT31. However, other hacking groups also used these pieces of malicious programs.

Webworm hacker group shows various tactical methods used that overlap with other adversarial collectives reported and analyzed this year. Positive Technologies earlier this May tracked the group as Space Pirates.[4] This group targeted entities in the Russian aerospace industry with new malware.

This group also has links with other Chinese espionage activity groups like WIcked Panda and Mustang Panda. These hackers also rely on the usage of post-exploitation modular RATs and other pieces of malware like ShadowPad.

Attack chains use the dropper that launches modifies RATs

These campaigns start with the dropper malware that harbors the loader to inject modified versions of the Trochilus, Gh0st, and 9002 RATs. Modifications involve articular changes to evade anti-malware tool detections. This usage of old malware that has been widely used by other hacker groups also helps Webworm to blend their operations with activities of other hacker gangs and make security analysis harder.

The particular Trochilus was first detected in the wild back in 2015 and recently was available on GitHub freely. A modification to the RAT means that it can load configurations from files by checking the hardcoded directories.

Another trojan used by these cybercriminals, 9002 Remote Access Trojan, is the tool used by various state-sponsored actors and was active for at least ten years. This threat has the capability of injecting into memory and running stealthily. The recent modification added more robust encryption to its communication protocol to help yet again evade detection.

The third trojan used in these recently observed attacks is Gh0st RAT which has been running since 2008 at least.[5] Other APTs have used the malware in their global espionage campaigns. It has several layers of obfuscation, UAC bypassing, in-memory launch, and shellcode unpacking. These capabilities remained with the versions released by Webworm.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions