Hackers use aging malware to attack government agencies, IT firms in multiple Asian countries

Hackers connected to the Chinese military are trying to revamp aging malware in espionage attacks on an IT service provider operating in multiple Asian countries as well as government agencies and enterprises involved in IT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, according to researchers from Symantec.

Cybersecurity experts from the company said they recently observed three customized versions of older remote access Trojans (RATs) — Trochilus, Gh0st RAT, and 9002 RAT — used in an attack on an Asian IT service provider. 

The group behind the most recent attack is called Webworm, according to Symantec, which found that the group was previously referred to as “Space Pirates” in a May 2022 report from Russian cybersecurity firm Positive Technologies.

The group has been active since at least 2017 and typically uses “custom loaders” hidden behind decoy documents and modified backdoors.

Dick O’Brien, principal intelligence analyst for the Symantec Threat Hunter team, explained to The Record that it is interesting to see groups using such a wide range of payloads during attacks in recent months. 

“Previously you may have seen them use just one or two main tools, but now it can be a whole array of malware, often with similar functionality,” O’Brien said. “It suggests that attackers are trying to keep their options open and have a fallback at hand lest one tool is detected. That, combined with the fact that we're finding evidence of constant tweaking and testing, suggests that attackers have a harder time getting their malware onto targeted networks without being detected.”

The Trochilus RAT was first used in 2015 by multiple groups as a way to evade detection and was previously linked to operations from threat actors also using malware such as PlugX — a tool used by a wide-range of Chinese government-connected hacking groups. 

9002 RAT has existed since 2009 and was historically used by state-sponsored actors, providing attackers with extensive data exfiltration capabilities.

“The malware has been used in multiple campaigns by a range of actors, including in a hacking operation targeting several large corporations located in South Korea. The RAT was used to deliver additional malware, including the PlugX RAT, onto compromised machines,” the researchers said. 

“It has also been involved in attacks making use of zero-day exploits.”

The Gh0st RAT is similarly old, with its first debut taking place around 2008. It has been used by a range of advanced persistent threat (APT) groups in attacks on diplomatic, political, economic, and military targets around the world.

In the latest campaign, code modifications were made to each, with a focus on evading detection.  

Part of what makes attribution difficult in this case is that several groups across Asia exchange tools intentionally as a way to obscure the traces of distinct threat groups, the researchers said. 

Webworm’s use of customized versions of older, and in some cases open-source, malware, as well as code is also likely related to cost, as developing sophisticated malware can be expensive in terms of both money and time.