Webworm Attackers Deploy Modified RATs in Espionage Attacks

Written by

The threat actor known as Webworm has been linked to several Windows–based remote access Trojans, suggests a new advisory by Symantec, a subsidiary of Broadcom Software.

The group reportedly developed customized versions of three older remote access Trojans (RATs): Trochilus, Gh0st RAT and 9002 RAT. 

The first of these tools, first spotted in 2005, is a RAT implemented in C++, and its source code is available for download on GitHub. Gh0st, on the other hand, was released in 2008 and has since been used by advanced persistent threat (APT) groups. In the advisory, Symantec did not specify how both these malware tools were modified by Webworm.

As for the 9002 RAT, the tool provides attackers with extensive data exfiltration capabilities. Symantec said it spotted variants of 9002 RAT that inject into memory and do not write to the disk. 

“At least one of the indicators of compromise (IOCs) observed by Symantec was used in an attack against an IT service provider operating in multiple Asian countries, while others appear to be in pre–deployment or testing stages,” reads the advisory.

According to the security experts, Webworm has links to a hacking group called Space Pirates, whose activities were documented earlier this year by Positive Technologies.

“Active since at least 2017, Webworm has been known to target government agencies and enterprises involved in IT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, and a number of other Asian countries,” wrote Symantec.

“Previous research on the group’s activity found that it uses custom loaders hidden behind decoy documents and modified backdoors that have been around for quite some time. This corresponds with recent Webworm activity observed by Symantec.”

At the same time, the common use of these types of tools and the exchange of tools between groups in Asia can potentially obscure the traces of distinct threat groups, Symantec explained.

“[This] is likely one of the reasons why this approach is adopted, another being cost, as developing sophisticated malware can be expensive in terms of both money and time.”

What’s hot on Infosecurity Magazine?