Symantec observes Webworm using customized versions of three older RATs (Trochilus, Gh0st RAT, and 9002 RAT) with decoy documents and loaders, in attacks linked to the Space Pirates group and aimed at government and IT/service targets across Asia. The activity involves multi-stage droppers, in-memory backdoors, and modified C2/encryption features, suggesting ongoing espionage operations and evolving tool reuse across campaigns.
Keypoints
- Webworm has developed customized versions of Trochilus RAT, Gh0st RAT, and 9002 RAT, including droppers and loaders, with decoy documents to conceal activity.
- The group is linked to Space Pirates, with active operations since 2017 targeting government agencies and IT/service sectors in Russia, Georgia, Mongolia, and other Asian countries.
- Observed droppers drop multiple files in Temp, then the loaders and backdoors are used to load and execute subsequent stages in memory.
- Malware components include in-memory payloads and loaders (logexts.dll) that perform token theft and then spawn additional processes to run Trochilus backdoors.
- Trochilus modifications can load configuration from specific files and locations, with decryption/decompression (LZW) steps for config data.
- Gh0st RAT and 9002 RAT variants observed with dropper and shellcode loader components, including changes intended to evade detection and alter communication/encryption.
- Attack campaigns include targeting large Korean corporations and delivering additional malware such as PlugX, including exploitation of zero-day vulnerabilities.
MITRE Techniques
- [T1055] Process Injection – The malware then injects svchost.exe with the ability to: “Execute commands” and “Download potentially malicious files.”
- [T1564.001] Masquerading – Custom loaders hidden behind decoy documents to conceal malicious activity.
- [T1027] Obfuscated/Compressed Files and Information – The logexts.dat file is obfuscated and includes several User Account Control (UAC) bypasses.
- [T1548.001] Abuse Elevation Control: Bypass User Account Control – The toolset includes UAC bypass techniques as part of its loader chain.
- [T1105] Ingress Tool Transfer – The RATs are used to deliver additional malware, including PlugX, onto compromised machines.
Indicators of Compromise
- [File hash] Trochilus dropper – 6201c604ac7b6093dc8f6f12a92f40161508af1ddffa171946b876442a66927e
- [File hash] Logger.exe – 28d78e52420906794e4059a603fa9f22d5d6e4479d91e9046a97318c83998679
- [File hash] logexts.dat – a6b9975bfe02432e80c7963147c4011a4f7cdb9baaee4ae8d27aaff7dff79c2b
- [File hash] logexts.dll – a73a4c0aa557241a09e137387537e04ce582c989caa10a6644d4391f00a836ef
- [File hash] logger.dat – 10456bc3b5cfd2f1b1ab9c3833022ef52f5e9733d002ab237bdebad09b125024
- [File hash] [RANDOM_DIGITS].doc – d295712185de2e5f8811b0ce7384a04915abdf970ef0f087c294bb00e340afad
- [File hash] Trochilus RAT – e69177e58b65dd21e0bbe4f6caf66604f120e0c835f3ee0d16a45858f5fe9d90
- [File path] Backdoor configuration – a618b3041935ec3ece269effba5569b610da212b1aa3968e5645f3e37d478536
- [File path] C:ProgramDataLoggerLogger.exe – and related copies (e.g., C:ProgramDataLoggerLogger.exe, etc.)
- [File path] C:ProgramDataLoggerlogger.dat – and other copied components (C:ProgramDataLoggerlogger.dat, C:ProgramDataLoggerlogexts.dat)
- [File path] C:ProgramDataLoggerlogexts.dll – reused across stages
- [File path] C:ProgramDataLoggersc.cfg – used as configuration path
Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats