The menace actor often known as Webworm has been linked to a number of Home windows–primarily based distant entry Trojans, suggests a brand new advisory by Symantec, a subsidiary of Broadcom Software program.
The group reportedly developed custom-made variations of three older distant entry Trojans (RATs): Trochilus, Gh0st RAT and 9002 RAT.
The primary of those instruments, first noticed in 2005, is a RAT applied in C++, and its supply code is on the market for obtain on GitHub. Gh0st, alternatively, was launched in 2008 and has since been utilized by superior persistent menace (APT) teams. Within the advisory, Symantec didn’t specify how each these malware instruments had been modified by Webworm.
As for the 9002 RAT, the instrument gives attackers with in depth information exfiltration capabilities. Symantec mentioned it noticed variants of 9002 RAT that inject into reminiscence and don’t write to the disk.
“Not less than one of many indicators of compromise (IOCs) noticed by Symantec was utilized in an assault towards an IT service supplier working in a number of Asian international locations, whereas others look like in pre–deployment or testing levels,” reads the advisory.
In accordance with the safety consultants, Webworm has hyperlinks to a hacking group referred to as Area Pirates, whose actions had been documented earlier this yr by Optimistic Applied sciences.
“Lively since at the very least 2017, Webworm has been recognized to focus on authorities companies and enterprises concerned in IT providers, aerospace, and electrical energy industries situated in Russia, Georgia, Mongolia, and a variety of different Asian international locations,” wrote Symantec.
“Earlier analysis on the group’s exercise discovered that it makes use of customized loaders hidden behind decoy paperwork and modified backdoors which were round for fairly a while. This corresponds with current Webworm exercise noticed by Symantec.”
On the similar time, the frequent use of a lot of these instruments and the alternate of instruments between teams in Asia can probably obscure the traces of distinct menace teams, Symantec defined.
“[This] is probably going one of many the explanation why this method is adopted, one other being value, as growing refined malware may be costly when it comes to each time and money.”
