Webworm hackers use modified RATs in latest cyber espionage attacks, according to the Symantec Threat Hunter team.
An unidentified threat actor creating bespoke Windows based trojans, some of which are in pre-deployment or testing phases.
The security firm said that at least one of the IOCs was specifically used in an attack against a provider of IT services operating in multiple Asian countries.
There are three main backdoors: Stone Panda, Aurora Panda, and Emissary. All three are primarily used by Chinese threat actors. However, other hacking groups have also been using them.
The Webworm threat actor acts in a similar manner as the Space Pirates, who were found striking entities in the Russian aerospace industry. The Webworm uses novel malware.
The shared usage of modular RATs led to the discovery of malicious activity from multiple Chinese actors. These malicious activities were identified as Space Pirates, Wicked Panda, Mustang Panda, Dagger Panda, and Colorful Panda.
The other malware from its arsenal includes Zupdax, Deed RAT, a modified Gh0st RAT known as BH_A006 and MyKLoadClient.
Webworm recently penetrated the networks of government agencies and enterprises involved in IT services, aerospace, and electric power industries in Russian, Mongolian, and Georgian.
Attackers use dropper malware, leveraging a dropper which is designed to launch modified versions of Trochilus, Gh0st, and 9002 Remote Access Trojans. They are usually used to evade detection by cybersecurity firms.
Researchers found that Webworm’s malware code overlaps with groups previously known to be Space Pirates, thus, the researchers conclude that they are the same threat.
People in the region use a variety of hacking tools, so it can be hard to analyze the suspect.
Google and Meta Privacy Violations in Korea Have Cost Them Over $70 Million
SparklingGoblin APT Hackers Use New Linux Variant of SideWalk Backdoor
Malware Attacks Targeting Gamers Increase in 2022