Webworm Hackers Using Modified RATs in Latest Cyber Espionage Attacks

By | 16/09/2022

Symantec, by Broadcom Software, has gained insight into the current activities of a group we phone call Webworm. The group has developed customized versions of 3 older remote access Trojans (RATs), including Trochilus, Gh0st RAT, and 9002 RAT. At least ane of the indicators of compromise (IOCs) observed past Symantec was used in an attack against an IT service provider operating in multiple Asian countries, while others appear to exist in pre-deployment or testing stages.


Symantec’s Webworm has links to a group dubbed Infinite Pirates, which was previously documented in a May 2022 study from Positive Technologies. It is likely that the two groups are one and the same.

Active since at least 2017, Webworm has been known to target government agencies and enterprises involved in IT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, and a number of other Asian countries.

Previous inquiry on the group’s action institute that it uses custom loaders subconscious behind decoy documents and modified backdoors that have been effectually for quite some time. This corresponds with recent Webworm activity observed by Symantec.

Malware used past Webworm includes versions of the following threats:

Trochilus RAT

Showtime spotted back in 2015, Trochilus is a RAT implemented in C++ and its source code is available for download on GitHub. The malware has been used in targeted threat operations past multiple groups and has features that can help it evade sandbox analysis and be useful in cyber-espionage operations. The RAT’s features include, but are not express to, the ability to remotely uninstall a file manager, and the ability to download, upload, and execute files.

Trochilus has been previously linked to malware operations from threat actors likewise using malware such as PlugX and a variant of the 9002 RAT.

9002 RAT

The 9002 RAT appears to have been in utilize since at least 2009 and has historically been used past state-sponsored actors. The malware provides attackers with extensive data exfiltration capabilities. Some variants of 9002 RAT inject into memory and do not write to the deejay, something that also applies to the sample analyzed by Symantec.

The malware has been used in multiple campaigns by a range of actors, including in a hacking functioning targeting several large corporations located in South korea. The RAT was used to deliver boosted malware, including the PlugX RAT, onto compromised machines. It has also been involved in attacks making use of nix-mean solar day exploits.

Gh0st RAT

While the source code for Gh0st RAT was released online in 2008, the malware has continued to exist used by advanced persistent threat (APT) groups.

Gh0st RAT first made headlines back in 2009, when a cyber-espionage grouping called GhostNet used it to target diplomatic, political, economic, and armed forces targets around the world.

Observed Webworm activity

Symantec observed three malware droppers developed by Webworm:

  • 6201c604ac7b6093dc8f6f12a92f40161508af1ddffa171946b876442a66927e (Trochilus dropper)
  • b9a0602661013d973bc978d64b7abb6bed20cf0498d0def3acb164f0d303b646 (Trochilus Dropper)
  • c71e0979336615e67006e20b24baafb19d600db94f93e3bf64181478dfc056a8 (Trochilus Dropper)

Analysis of ane of the droppers revealed that it drops the following files:

  • [TEMP]\Logger.exe (28d78e52420906794e4059a603fa9f22d5d6e4479d91e9046a97318c83998679)
  • [TEMP]\sc.cfg (a618b3041935ec3ece269effba5569b610da212b1aa3968e5645f3e37d478536)
  • [TEMP]\logexts.dat (a6b9975bfe02432e80c7963147c4011a4f7cdb9baaee4ae8d27aaff7dff79c2b)
  • [TEMP]\logexts.dll (a73a4c0aa557241a09e137387537e04ce582c989caa10a6644d4391f00a836ef)
  • [TEMP]\logger.dat (10456bc3b5cfd2f1b1ab9c3833022ef52f5e9733d002ab237bdebad09b125024)
  •  [TEMP]\[RANDOM_DIGITS].doc (d295712185de2e5f8811b0ce7384a04915abdf970ef0f087c294bb00e340afad)

The legitimate executable Logger.exe is used to call the “LoadLibraryA” API in order to load the malicious “[TEMP]\logexts.dll” file.

logexts.dll file is a loader. Once run, it checks the process command-line parameters. If the command-line is the single parameter “isdf”, it attempts to steal a token from the “WINLOGON.EXE” process. Information technology then starts the following procedure by calling the CreateProcessAsUserW API:

C:\ProgramData\Logger\Logger.exe mdkv

Otherwise it constructs the pathname of the second stage based on its own running executable, where information technology replaces the last iii characters with hardcoded “dat” (resulting with “Logger.dat”). And so information technology reads and executes the second stage as shellcode.

The second stage (“Logger.dat”) constructs the pathname of the tertiary stage also based on its own running executable, where it combines the directory role with hardcoded “logexts.dat”. Finally, information technology reads and executes the tertiary stage.

logexts.dat file is obfuscated and includes several User Account Control (UAC) bypasses.

It attempts to copy the previously dropped files to the following new locations:

  • [Temp]\Logger.exe to C:\ProgramData\Logger\Logger.exe
  • [Temp]\Logger.dat to C:\ProgramData\Logger\logger.dat
  • [Temp]\logexts.dll to C:\ProgramData\Logger\logexts.dll
  • [Temp]\logexts.dat to C:\ProgramData\Logger\logexts.dat
  • [Temp]\sc.cfg to C:\ProgramData\Logger\sc.cfg

Then the file unpacks and executes in memory its backdoor payload, a variant of the Trochilus RAT (e69177e58b65dd21e0bbe4f6caf66604f120e0c835f3ee0d16a45858f5fe9d90).

The Trochilus modifications include functionality to load its configuration from a file past checking for any of the post-obit locations (in order of preference):

  • C:\ProgramData\Logger\sc.cfg
  • C:\ProgramData\resmon.resmoncfg
  • C:\ProgramData\appsoft\resmon.resmoncfg

The content of the configuration file is decompressed using the Lempel–Ziv–Welch (LZW) algorithm.

Interestingly, one of the locations described above (“C:\ProgramData\resmon.resmoncfg”) is mentioned in tertiary-political party research detailing previous Space Pirates (Webworm) activity.

The malware and then injects svchost.exe with the ability to:

  • Execute commands
  • Download potentially malicious files

Further investigation by Symantec institute that droppers that share a similar structure to the one used to deploy the version of Trochilus RAT modified by Webworm were likewise used to deploy two boosted modified versions of Gh0st RAT and 9002 RAT. Some code modifications made to the variant of Trochilus RAT were also present in the two additional retooled RATs. The additional RATs included:

Gh0st RAT:

  • 1e725f1fe67d1a596c9677df69ef5b1b2c29903e84d7b08284f0a767aedcc097 (Dropper)
  • b0a58c6c859833eb6fb1c7d8cb0c5875ab42be727996bcc20b17dd8ad0058ffa (Shellcode loader)
  • 1CC32C7F2C90A558BA5FF6BA191E655B20D7C65C10AF0D5D06820A28C2947EFD (Shellcode loader)

9002 RAT:

  • 6e46054aa9fd5992a7398e0feee894d5887e70373ca5987fc56cd4c0d28f26a1 (Dropper)
  • 37fa5108db1ae73475911a5558fba423ef6eee2cf3132e35d3918b9073aeecc1 (Packed backdoor)

Changes made by Webworm to this version of 9002 RAT are plain intended to evade detection. For example, the details of the RAT’south communication protocol, such as encryption, have also been modified by the threat actors.

Gh0st RAT (BH_A006) was documented in third-party research detailing previous Webworm (Space Pirates) activity. In that research, the version of Gh0st RAT included features such every bit layers of obfuscation to bypass security protections and hinder analysis, network service creation, UAC bypassing, and shellcode unpacking and launching in the memory. Some of these features were also present in the version of the RAT beingness prepared past Webworm.


Webworm’s use of customized versions of older, and in some cases open-source, malware, equally well as code overlaps with the group known as Space Pirates, suggest that they may be the aforementioned threat grouping. However, the common use of these types of tools and the exchange of tools between groups in this region tin obscure the traces of singled-out threat groups, which is likely one of the reasons why this approach is adopted, another beingness cost, every bit developing sophisticated malware tin be expensive in terms of both money and fourth dimension.


For the latest protection updates, delight visit the Symantec Protection Message.


c71e0979336615e67006e20b24baafb19d600db94f93e3bf64181478dfc056a8 – Trochilus dropper

28d78e52420906794e4059a603fa9f22d5d6e4479d91e9046a97318c83998679 – Logger.exe

a6b9975bfe02432e80c7963147c4011a4f7cdb9baaee4ae8d27aaff7dff79c2b – logexts.dat

a73a4c0aa557241a09e137387537e04ce582c989caa10a6644d4391f00a836ef – logexts.dll

10456bc3b5cfd2f1b1ab9c3833022ef52f5e9733d002ab237bdebad09b125024 – logger.dat

d295712185de2e5f8811b0ce7384a04915abdf970ef0f087c294bb00e340afad – [RANDOM_DIGITS].md

e69177e58b65dd21e0bbe4f6caf66604f120e0c835f3ee0d16a45858f5fe9d90 – Trochilus RAT

a618b3041935ec3ece269effba5569b610da212b1aa3968e5645f3e37d478536 – Backstairs configuration

6201c604ac7b6093dc8f6f12a92f40161508af1ddffa171946b876442a66927e – Trochilus dropper

3629d2ce400ce834b1d4b7764a662757a9dc95c1ef56411a7bf38fb5470efa84 – Backstairs configuration

b9a0602661013d973bc978d64b7abb6bed20cf0498d0def3acb164f0d303b646 – Trochilus dropper

824100a64c64f711b481a6f0e25812332cc70a13c98357dd26fb556683f8a7c7 – Packed backdoor

Almost the Author

Threat Hunter Team


The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats