Webworm retools old RATs for new cyberespionage threat

Symantec's Threat Hunter Team uncovered a new cyberespionage campaign run by a threat group named Webworm, which uses customized versions of old remote access Trojans.

Cyberespionage hackers are recycling remote access Trojans, some more than a decade old, for a new set of attacks.

Researchers with Symantec's Threat Hunter Team reported Thursday that a threat group known as Webworm has been making modifications to three known RATs and using them to successfully evade detection on victim networks.

"At least one of the indicators of compromise (IOCs) observed by Symantec was used in an attack against an IT service provider operating in multiple Asian countries, while others appear to be in pre-deployment or testing stages," Symantec's blog post said.

The retooled malware includes Trochilus RAT, which was first detected in 2015, and Gh0st RAT, which was first introduced in 2008 by GhostNet, an infamous state-sponsored threat group that some experts connected to China. A third malware, known as 9002 RAT, was first observed in 2009 and was used in attacks against South Korean enterprises in 2018.

In each case, the malware itself has been modified to varying degrees. In some cases, the malware was given new ways to access networks or dial back to controllers; in others the code was simply tweaked just enough to change the malware signature.

"We saw both," Symantec Threat Hunter principal intelligence analyst Dick O'Brien told TechTarget Editorial. "In some cases, modifications seemed to be a bid to evade detection, but in others it was to enhance the functionality of the RAT."

According to the Threat Hunter Team, this affinity for older hacking tools is not a new development for Webworm. The threat group, which has been in operation since 2017, often takes older malware tools and customizes them in-house, mixing custom and off-the-shelf malware for its cyberespionage activity.

What is less known to experts is what exactly Webworm is targeting with its hacking activity. Symantec researchers believe the group shares some code with a hacking group named Space Pirates that was first identified by security vendor Positive Technologies earlier this year. Positive Technologies reported the group was conducting cyberespionage attacks against government agencies as well as energy and aerospace companies in Russia, Georgia and Mongolia.

Positive Technologies researchers said Space Pirates is likely based in Asia, with some of its samples containing Chinese-language notes. No specific country or government could be tied to the group, however.

Webworm, meanwhile, shares not only some code with Space Pirates but also locational preferences for targets. The Threat Hunter Team said that some of its samples were collected from companies in Asia, while others were in testing stages.

"We don't have enough information to make an attribution at the moment," O'Brien said of the two groups. "[Positive Technologies] found links to financially motivated attacks, meaning it's quite possible they are contractors for hire."

Symantec published IOCs for the Webworm attacks and updated security products to detect the three revamped RATs. The company said that while Webworm and Space Pirates could potentially be the same operation, such malware is commonly used and exchanged by different threat actors in the region, which makes it difficult to attribute attacks to a specific group.

Dig Deeper on Threat detection and response