The Chinese threat group known as “Webworm” has been seen experimenting with customizing old malware in new attacks. This is likely in an attempt to evade attribution and reduce operations costs, as re-working old malware payloads costs significantly less in terms of time and money than creating brand new ones from scratch.
The first old malware repurposed by Webworm is known as Trochilus RAT. Trochilus RAT is a Remote Access Trojan that first appeared in 2015 and whose source code is available on GitHub. Webworm has modified Trochilus RAT to allow its configuration to be loaded from a file by checking in a set of hardcoded directories. The second malware used is 9002 RAT, a popular malware used by state-sponsored actors that was first discovered in 2009. One popular feature of 9002 RAT was its ability to inject directly into memory and remain off disk, allowing the malware to be more evasive. Webworm increased this evasive behavior by adding more robust encryption to its communication protocol, allowing it to improve evasion of traffic analysis controls. The final malware re-purposed is known as Gh0st RAT, a RAT whose source code was released in 2008 but is still used by threat groups worldwide. The original version of Gh0st RAT included various advanced features, such as extreme obfuscation, UAC bypassing, shellcode unpacking, and in-memory injection. Gh0st RAT was updated to include a versatile C2 communication system, supporting multiple protocols including TCP, TLS, UDP, HTTP, HTTPS, and DNS.
The usage of older, publicly available malware tools outlines Webworm’s desire to both hide attribution and reduce costs in its operations. By updating the malware tools slightly, the threat group can save on money and time in developing a payload while also still being able to utilize a payload that has a low detection rate among security controls.