In an effort to avoid detection, save money, and lead researchers on a fruitless hunt, a well-known Chinese threat actor is reusing existing malware. According to a Symantec investigation, the Webworm group changed at least three old malware types (by “old,” we mean from 2008 to 2017) and tried them out against Asian IT service providers to see how they functioned.
They stated that due to the malware’s age, it is occasionally possible for it to escape detection by antivirus software. These are some of the malware that hackers use. The first one is referred to as Trochilus RAT and is freely accessible on GitHub. It has been in use since at least 2015.
It was initially noticed harassing website visitors in Myanmar. It was modified by Webworm so that it may check in a list of hardcoded directories and load its configuration from a file. Additionally, for greater access, it was claimed to be able to traverse laterally across target network endpoints.
The second one is 9002 RAT, a sneaky remote access trojan that has recently improved communication protocol encryption, making it increasingly harder to detect. The third trojan is referred to as Gh0st RAT, and it has been around for 14 years. It now has “several layers of obfuscation, UAC bypassing, shellcode unpacking, and in-memory launch.”
Although it’s hard to pinpoint which threat actor is responsible for the resurgence of Webworms, Symantec seems to think it’s the same crew as Space Pirates, a Chinese threat actor identified by Positive Technologies in May of this year. Then, Gh0st RAT was examined by Positive Technologies, who gave it the moniker Deed RAT.
In any event, Webworm is a well-known cybercriminal organization that has been active at least since 2017. The gang has already been connected to a number of attacks against IT companies, and aerospace companies, as well as Russian, Georgian, and Mongolian energy providers.