"Webworm Hackers Modify Old Malware in New Attacks to Evade Attribution"

The Chinese 'Webworm' hacking group is experimenting with repurposing old malware in new attacks, most likely to avoid attribution and cut operational costs. Webworm is a cyberespionage cluster that has been active since at least 2017 and has previously been linked to attacks on IT firms, aerospace companies, and power providers in Russia, Georgia, and Mongolia. According to a report from Symantec, the group is currently testing various modified Remote Access Trojans (RATs) against IT service providers in Asia to determine their effectiveness. Webworm's current RATs are long forgotten, and their source has been circulating for many years. However, security tools still struggle to detect them because of their evasion, obfuscation, and anti-analysis techniques. Using older RATs that are widely distributed and deployed by random hackers also helps Webworm disguise their operations and blend in with the activities of others. Trochilus RAT, which first appeared in the wild in 2015 and is now freely available on GitHub, is the first old malware used in new Webworm operations. This RAT can now load its configuration from a file by checking in a set of hardcoded directories. The second tested strain is 9002 RAT, which was popular among state-sponsored actors in the previous decade because of its ability to inject into memory and run stealthily. Webworm strengthened the encryption on 9002 RAT's communication protocol to help it sidestep detection by modern traffic analysis tools. This article continues to discuss Webworm hackers' modification of old malware in new attacks to evade attribution and lower operations costs. 

Bleeping Computer reports "Webworm Hackers Modify Old Malware in New Attacks to Evade Attribution"