The Chinese threat group known as “Webworm” has been seen experimenting with customizing old malware in new attacks. This is likely in an attempt to evade attribution and reduce operations costs, as re-working old malware payloads costs significantly less in terms of time and money than creating brand new ones from scratch.
The first old malware repurposed by Webworm is known as Trochilus RAT. Trochilus RAT is a Remote Access Trojan that first appeared in 2015 and whose source code is available on GitHub. Webworm has modified Trochilus RAT to allow its configuration to be loaded from a file by checking in a set of hardcoded directories. The second malware used is 9002 RAT, a popular malware used by state-sponsored actors that was first discovered in 2009. One popular feature of 9002 RAT was its ability to inject directly into memory and remain off disk, allowing the malware to be more evasive. Webworm increased this evasive behavior by adding more robust encryption to its communication protocol, allowing it to improve evasion of traffic analysis controls. The final malware re-purposed is known as Gh0st RAT, a RAT whose source code was released in 2008 but is still used by threat groups worldwide. The original version of Gh0st RAT included various advanced features, such as extreme obfuscation, UAC bypassing, shellcode unpacking, and in-memory injection. Gh0st RAT was updated to include a versatile C2 communication system, supporting multiple protocols including TCP, TLS, UDP, HTTP, HTTPS, and DNS.
The usage of older, publicly available malware tools outlines Webworm’s desire to both hide attribution and reduce costs in its operations. By updating the malware tools slightly, the threat group can save on money and time in developing a payload while also still being able to utilize a payload that has a low detection rate among security controls.
The usage of older, publicly available malware tools presents a unique situation for defenders. Since these malware tools are well-known and open source, security controls should have signatures to detect and prevent their execution. However, this may not be accurate for all controls. This outlines the importance of behaviors over signatures. Behaviors are malware family agnostic and as such, can detect malware that use such behaviors regardless of age or sophistication. Due to this, it is highly recommended to use and maintain advanced endpoint security controls, such as EDRs, that look for behaviors when determining if a process or file is malicious or not. Likewise, for situations where prevention within these tools is not possible, it is important to maintain appropriate detective capabilities to find and alert upon malicious behavior. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with any sort of detection needs.