BleepingComputer reports that old remote access trojans are being modified by Chinese hacking group Webworm in new cyberattacks against Asian IT service providers.
Older and widely available RATs are likely being used by Webworm in an effort to curb operating costs, as well as better evade detection by security tools, a report from Symantec found. Webworm initially repurposed Trochilus RAT, which first emerged in 2015 and could be availed in GitHub, to include configuration loading through a set of hardcoded directories.
Widely used 9002 RAT has also been tested by the Chinese threat group, which has bolstered the malware's communication protocol encryption in a bid to better bypass modern traffic analysis tools. The report also showed Webworm testing Gh0st RAT, which has been used by several APTs in different cyberespionage campaigns since its emergence in 2008.
Symantec researchers noted that that Webworm may be the same as Space Pirates, which was dubbed by Positive Technologies as the group behind the modified Gh0st RAT named 'Deed RAT.'
Numerous telecommunications, industrial, healthcare, technology, insurance, and manufacturing organizations in North America and Europe have been targeted in a new supply chain attack leveraging a trojanized version of the Comm100 Live Chat installer by Canadian customer engagement software firm Comm100, according to SecurityWeek.