The Chinese ‘Webworm’ hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs.
Webworm is a cyberespionage cluster active since at least 2017 and previously linked to attacks on IT firms, aerospace, and electric power providers in Russia, Georgia, and Mongolia.
According to a report by Symantec, part of Broadcom Software, the threat actors are currently testing various modified Remote Access Trojans (RATs) against IT service providers in Asia, likely to determine their effectiveness.
Old malware on a new mission
The RATs used by Webworm today are long forgotten, and their source has been circulating for many years. However, security tools still don’t detect them easily, with their evasiveness, obfuscation, and anti-analysis tricks remaining relevant.
Also, using older RATs that are in wide circulation and deployed by various random hackers helps Webworm disguise their operations and blend with the activities of others, making the work of security analysts much harder.
The first old malware used in new Webworm operations is Trochilus RAT, which first appeared in the wild in 2015 and is now available freely through GitHub.
A modification added to Trochilus is that it can now load its configuration from a file by checking in a set of hardcoded directories.
The second tested strain is 9002 RAT, a popular malware among state-sponsored actors in the previous decade, who appreciated it for its capability to inject into memory and run stealthily.
Webworm added more robust encryption on 9002 RAT’s communication protocol to help evade detection against modern traffic analysis tools.
The third family used in the observed attacks is Gh0st RAT, first spotted in 2008, which multiple APTs have repeatedly used in past global cyberespionage operations.
Gh0st RAT features several layers of obfuscation, UAC bypassing, shellcode unpacking, and in-memory launch, many of which are retained in Webworm’s version.
A Positive Technologies report from May 2022 named the modified malware ‘Deed RAT,’ attributing it to a Chinese group they called ‘Space Pirates,’ that Symantec says it’s most likely the same group as Webworm.
One of the new features of Deed RAT, which is essentially a modified version of Gh0st RAT, is a versatile C2 communication system supporting multiple protocols, including TCP, TLS, HTTP, HTTPS, UDP, and DNS.
Even if Space Pirates and Webworm are distinct groups, Chinese actors are known to share malware to obscure their trace and cut development costs.