Security News > 2022 > September > Webworm hackers modify old malware in new attacks to evade attribution

The Chinese 'Webworm' hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs.

Using older RATs that are in wide circulation and deployed by various random hackers helps Webworm disguise their operations and blend with the activities of others, making the work of security analysts much harder.

The first old malware used in new Webworm operations is Trochilus RAT, which first appeared in the wild in 2015 and is now available freely through GitHub.

Webworm added more robust encryption on 9002 RAT's communication protocol to help evade detection against modern traffic analysis tools.

A Positive Technologies report from May 2022 named the modified malware 'Deed RAT,' attributing it to a Chinese group they called 'Space Pirates,' that Symantec says it's most likely the same group as Webworm.

One of the new features of Deed RAT, which is essentially a modified version of Gh0st RAT, is a versatile C2 communication system supporting multiple protocols, including TCP, TLS, HTTP, HTTPS, UDP, and DNS. Even if Space Pirates and Webworm are distinct groups, Chinese actors are known to share malware to obscure their trace and cut development costs.

News URL

https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/