BleepingComputer reports that old remote access trojans are being modified by Chinese hacking group Webworm in new cyberattacks against Asian IT service providers.
Older and widely available RATs are likely being used by Webworm in an effort to curb operating costs, as well as better evade detection by security tools, a report from Symantec found. Webworm initially repurposed Trochilus RAT, which first emerged in 2015 and could be availed in GitHub, to include configuration loading through a set of hardcoded directories.
Widely used 9002 RAT has also been tested by the Chinese threat group, which has bolstered the malware's communication protocol encryption in a bid to better bypass modern traffic analysis tools. The report also showed Webworm testing Gh0st RAT, which has been used by several APTs in different cyberespionage campaigns since its emergence in 2008.
Symantec researchers noted that that Webworm may be the same as Space Pirates, which was dubbed by Positive Technologies as the group behind the modified Gh0st RAT named 'Deed RAT.'
Blind Eagle's attacks commence with the distribution of Colombia tax authority-spoofing phishing emails luring recipients into clicking embedded links redirecting to a Google Drive folder-hosted ZIP archive that facilitates BlotchyQuasar execution.
Attackers leveraged a malicious DLL from the Microsoft Word app to retrieve from open-source remote desktop and remote admin software UltraVNC a launcher that would facilitate injections of the CXCLNT malware and CLTEND remote access tool.
Intrusions leveraging the vulnerability have facilitated the distribution of not only the GOREVERSE reverse proxy server but also the Condi malware, the Mirai botnet variant Jenx, and four other cryptocurrency mining payloads.