Chinese hacking group “Webworm” is experimenting with customizing old malware into new attacks, which may evade attribution and reduce operating costs.
Webworm is a cyber espionage cluster that has been active since at least 2017 and previously linked to attacks on IT, aerospace and electricity utility companies in Russia, Georgia and Mongolia.
According to a Symantec reportwhich is part of Broadcom Software, threat actors are currently testing various modified Remote Access Trojans (RATs) against IT service providers in Asia, likely to determine their effectiveness.
Old malware on a new mission
The RATs used by Webworm today are long forgotten and their source has been circulating for many years. However, security tools still do not easily detect them, their evasion, obfuscation and anti-analysis tricks remaining relevant.
Additionally, the use of old RATs which are widely released and deployed by various random hackers helps Webworm to conceal their operations and blend in with other people’s activities, which makes the job of security analysts much more difficult.
The first old malware used in the new Webworm operations is Trochilus RAT, which first appeared in the wild in 2015 and is now freely available via GitHub.
A change added to Trochilus is that it can now load its configuration from a file by saving a set of hardcoded directories.
The second strain tested is 9002 RAT, a malware popular among state-sponsored actors over the previous decade, who prized it for its ability to inject itself into memory and run stealthily.
Webworm has added stronger encryption to the 9002 RAT communication protocol to help evade detection by modern traffic analysis tools.
The third family used in observed attacks is Gh0st RAT, first spotted in 2008, which several APTs have used repeatedly in past global cyber espionage operations.
Gh0st RAT has multiple layers of obfuscation, UAC bypass, shellcode unpacking, and in-memory launching, many of which are retained in the Webworm version.
A Positive Technologies report from May 2022 named the modified malware “RAT act‘, attributing it to a Chinese group they called ‘Space Pirates’, which Symantec says is likely the same group as Webworm.
One of the new features of Deed RAT, which is basically a modified version of Gh0st RAT, is a versatile C2 communication system supporting multiple protocols including TCP, TLS, HTTP, HTTPS, UDP, and DNS.
Even though Space Pirates and Webworm are separate groups, Chinese players have been known to share malware in order to obscure their tracks and reduce development costs.