Hackers are reviving a long-forgotten malware to help evade detection

Webworm is reviving a 14 year-old malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A known Chinese threat actor is recycling oldmalware, in an attempt to evade detection, cut down on costs, and send researchers on a wild goose chase.

A report from Symantec says the group, known as Webworm, has used at least three ancient malware variants (and by “ancient”, we mean from 2008 - 2017), modified them a little bit, and then tested them out against IT service providers in Asia to see how they work.

Given the malware’s age, they sometimes manage to fly underantivirussolutions’ radars, they added.

Stealthy RATs

The first one is called Trochilus RAT, in circulation since at least 2015, and freely available on GitHub.

It was first discovered attacking people visiting a Myanmar website. Webworm tweaked it so that it can load its configuration from a file by checking in a set of hardcoded directories. It was also said to have the ability to move laterally acrossendpointsin the target network, for better access. The second one is 9002 RAT, a stealthy remote access trojan that’s now gotten better encryption for its communication protocol, which made it even more difficult to detect.

Finally, the third is called Gh0st RAT, a 14-year-old trojan that now comes with “several layers of obfuscation, UAC bypassing, shellcode unpacking, and in-memory launch”.

This devious new Chinese malware uses a never before seen trojan>This advanced new malware strain leaves you practically defenceless>These are the best firewalls right now

While it’s difficult to know exactly which threat actor is behind Webworm’s revival, Symantec seems to believe it’s the same group as Space Pirates - a Chinese threat actor discovered by Positive Technologies in May this year. Back then, Positive Technologies analyzed Gh0st RAT and named it Deed RAT.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In any case, Webworm is a known cybercriminal group that’s been in operation since at least 2017. In the past, the group has been linked with various attacks on IT firms, aerospace organizations, as well as electrical energy providers in Russia, Georgia, and Mongolia.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)