Hackers are using aging malware to attack government agencies and IT companies in several Asian countries

Hackers connected to the Chinese military are trying to revamp aging malware in spy attacks against an IT service provider operating in several Asian countries, as well as government agencies and companies involved in IT services , aerospace and electric power industries located in Russia, Georgia and Mongolia. , according to Symantec researchers.

The company’s cybersecurity experts said they recently observed three custom versions of older remote access Trojans (RATs) – Trochilus, Gh0st RAT and 9002 RAT – used in an attack against an Asian IT service provider.

The group behind the most recent attack is called Webworm, according to Symantec, which discovered the group was previously called “Space Pirates” in a May 2022 report by Russian cybersecurity firm Positive Technologies.

The group has been active since at least 2017 and typically uses “custom loaders” hidden behind decoy documents and modified backdoors.

Dick O’Brien, senior intelligence analyst for the Symantec Threat Hunter team, told The Record that it’s interesting to see groups using such a range of payloads in attacks in recent months.

“Before, you might have seen them using one or two main tools, but now it can be a whole range of malware, often with similar functionality,” O’Brien said. “This suggests that attackers are trying to keep their options open and have a fallback at hand lest a tool be detected. This, combined with the fact that we find evidence of constant tweaking and testing, suggests that attackers have a harder time getting their malware onto targeted networks undetected.

The Trochilus RAT was first used in 2015 by several groups as a means to evade detection and was previously linked to the operations of malicious actors also using malware such as PlugX – a tool used by a wide range of hacking groups connected to the Chinese government.

9002 RAT has been around since 2009 and was historically used by state-sponsored actors, providing attackers with extensive data exfiltration capabilities.

“The malware was used in multiple campaigns by various actors, including in a hacking operation targeting several large companies located in South Korea. The RAT was used to spread additional malware, including the PlugX RAT, on compromised machines,” the researchers said.

“He has also been implicated in attacks using zero-day exploits.”

The Gh0st RAT is similarly old, with its first debut occurring around 2008. It has been used by a range of Advanced Persistent Threat (APT) groups in attacks on diplomatic, political, economic and military targets around the world. .

In the latest campaign, code changes have been made to each, with a focus on avoiding detection.

Part of what makes attribution difficult in this case is that multiple groups across Asia intentionally exchange tools in order to cover the tracks of separate threat groups, the researchers said.

Webworm’s use of custom versions of old, and in some cases open-source, malware and code is also likely cost-related, as developing sophisticated malware can be costly in terms of money and time. .

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Ashley C. Reynolds