A threat actor known as Webworm has been connected to customized Windows-based remote access trojans, some of which are allegedly in the testing or pre-deployment stages. “The group has developed customized versions of three older remote access trojans (RATs), including Trochilus RAT, Gh0st RAT, and 9002 RAT,” the Symantec Threat Hunter team said in a report.
According to the cybersecurity company, one or more of the indications of compromise (IOCs) were deployed in an attack against an IT service provider with operations across many Asian nations. Although other hacking organizations have used them, it’s important to note that these three backdoors are predominantly connected to Chinese threat actors, including Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others.
Symantec disclosed that the Webworm threat actor shares tactical similarities with Space Pirates, a new antagonistic collective that Positive Technologies first identified in May and was revealed to target Russian aerospace companies with innovative malware. Due to their shared use of post-exploitation modular RATs like PlugX and ShadowPad, Wicked Panda (APT41), Mustang Panda, Dagger Panda (RedFoxtrot), Colorful Panda (TA428), and Night Dragon overlap with earlier instances of Chinese intelligence gathering. Its malware arsenal also includes Zupdax, Deed RAT, BH A006 (a modified variant of Gh0st RAT), and MyKLoadClient.
Since it began operating in 2017, Webworm has a history of targeting government organizations and businesses in the IT services, aerospace, and electric power sectors based in Russia, Georgia, Mongolia, and many other Asian countries. Using loaders to launch customized versions of the Trochilus, Gh0st, and 9002 remote access trojans is common in attack chains. The cybersecurity company said that most alterations are made to avoid discovery. They also note that fake papers are used to get early access through social engineering.
“Webworm’s use of customized versions of older, and in some cases open-source, malware, as well as code overlaps with the group known as Space Pirates, suggest that they may be the same threat group,” the researchers said. “However, the common use of these types of tools and the exchange of tools between groups in this region can obscure the traces of distinct threat groups, which is likely one of the reasons why this approach is adopted, another being cost, as developing sophisticated malware can be expensive in terms of both money and time.”