BleepingComputer reports that old remote access trojans are being modified by Chinese hacking group Webworm in new cyberattacks against Asian IT service providers.
Older and widely available RATs are likely being used by Webworm in an effort to curb operating costs, as well as better evade detection by security tools, a report from Symantec found. Webworm initially repurposed Trochilus RAT, which first emerged in 2015 and could be availed in GitHub, to include configuration loading through a set of hardcoded directories.
Widely used 9002 RAT has also been tested by the Chinese threat group, which has bolstered the malware's communication protocol encryption in a bid to better bypass modern traffic analysis tools. The report also showed Webworm testing Gh0st RAT, which has been used by several APTs in different cyberespionage campaigns since its emergence in 2008.
Symantec researchers noted that that Webworm may be the same as Space Pirates, which was dubbed by Positive Technologies as the group behind the modified Gh0st RAT named 'Deed RAT.'
BleepingComputer reports that several U.S. financial institutions and numerous cryptocurrency apps are having their users mostly targeted by an expanded Xenomorph malware campaign leveraging an updated version of the Android banking trojan that also set sights on users in Canada, Italy, Spain, Belgium, and Portugal.