A threat actor tracked under the moniker Webworm is taking advantage of bespoke variants of already existing Windows-based remote access trojans to fly under the radar, some of which are said to be in pre-deployment or testing phases.
“The group has developed customized versions of three older remote access trojans (RATs), including Trochilus RAT, Gh0st RAT, and 9002 RAT,” the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News.
The cybersecurity firm said at least one of the indicators of compromise (IOCs) was used in an attack against an IT service provider operating in multiple Asian countries.
It’s worth pointing out that all the three backdoors are primarily associated with Chinese threat actors such as Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others, although they have been put to use by other hacking groups.
Symantec said the Webworm threat actor exhibits tactical overlaps with another new adversarial collective documented by Positive Technologies earlier this May as Space Pirates, which was found striking entities in the Russian aerospace industry with novel malware.
images from Hacker News