cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Modified RATs leveraged in Webworm hackers’ cyber espionage attacks

The Webworm threat actors have been linked to Windows-based remote access Trojans, including those allegedly in pre-deployment or testing phases.

user iconReporter
Fri, 16 Sep 2022
Modified RATs leveraged in Webworm hackers’ cyber espionage attacks
expand image

According to the Symantec Threat Hunter Team, the group has developed customised versions of three older remote access trojans (RATs), including Trochilus RAT, Gh0st RAT, and 9002 RAT.

Symantec identified at least one of the indicators of compromise was used in an attack against an IT service provider operating in multiple Asian countries.

It's worth pointing out that all the three backdoors are primarily associated with Chinese threat actors such as Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others, although they have been put to use by other hacking groups.


The Webworm threat actors exhibited tactical overlaps with another new adversarial collective documented by Positive Technologies earlier this May as Space Pirates, which was found striking entities in the Russian aerospace industry with novel malware.

Space Pirates intersected with previously identified Chinese espionage activity known as Wicked Panda (APT41), Mustang Panda, Dagger Panda (RedFoxtrot), Colorful Panda (TA428), and Night Dragon, owing to the shared usage of post-exploitation modular RATs such as PlugX and ShadowPad.

"Webworm's use of customised versions of older, and in some cases open source, malware, as well as code overlaps with the group known as Space Pirates, suggest that they may be the same threat group," the Symantec researchers said.

Other tools in the threat actors' malware arsenal include Zupdax, Deed RAT, a modified version of Gh0st RAT known as BH_A006, and MyKLoadClient.

Webworm has a track record of striking government agencies and enterprises involved in IT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, and several other Asian nations.

Attack chains involve the use of dropper malware that harbours a loader designed to launch modified versions of Trochilus, Gh0st, and 9002 remote access Trojans.

Symantec noted initial access is achieved via social engineering with decoy documents with most of the changes intended to evade detection.

"The common use of these types of tools and the exchange of tools between groups in this region can obscure the traces of distinct threat groups, which is likely one of the reasons why this approach is adopted, another being cost, as developing sophisticated malware can be expensive in terms of both money and time."

[Related: Cloud security tops business concerns for Aussie IT leaders]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.