A study found a cyber-attacker group, ‘Webworm’, testing older versions of remote access trojans (RATs) to launch new attacks. According to Broadcom Software’s Symantec report, a group called Space Pirates created customized versions of older remote access Trojans (RATs) such as Trochilus, Gh0st RAT, and 9002 RAT.
The older RATs
The older malware was reported in attacks between 2008 and 2018, including cyber espionage. The security researchers linked the attacking techniques adopted by Webworm, similar to the hacking group Space Pirates. The attacks by the Space Pirates group targeted government agencies, IT services, and aerospace and electric power industries based in countries including Georgia, Mongolia, Russia, and some Asian countries.
Experts suggest that using older malware by hackers may help go undetected to some extent and reduce the cost and time of creating newer ones. It may also be able to evade the need for attribution.
Looking at the remodelled RATs
As per reports, Webworm used malware versions Trochilus RAT, 9002 and Gh0st RAT. The droppers used in attacks were found to match the new and the older versions of the RATs. The versions were modified in a way that helped evade detection. For example, a version of 9002 RAT was altered regarding its communication protocol, including encryption.
Trochilus RAT was detected in 2015 and is available on GitHub, a code hosting platform. Used in multiple cyber-attacks by several groups, Trochilus RAT can remotely uninstall a file manager and download, upload and execute files.
9002 RAT was reported to be in use since 2009 by state-sponsored attackers. It can exfiltrate large chunks of data. This has further strengthened Symantec’s research findings that link the present samples to the RATs used in previous attacks.
Gh0st RAT has been used by advanced persistent threat (APT) groups and has been in use since 2008. It was used in cyber espionage by a group called GhostNet.