Webworm uses old RATs to target governments and enterprises.

The Symantec Threat Hunter Team, part of Broadcom Software, has released a report detailing the activities of a group they’re calling Webworm. Webworm uses three older remote access Trojans (RATs): Trochilus, Gh0st RAT, and 9002 RAT. Webworm is probably connected with the group identified as Space Pirates, perhaps even being the same group. The group has been active since 2017, and has been seen targeting government agencies, as well as enterprises in industries such as IT services, aerospace, and electric power, specifically targeting Russia, Georgia, Mongolia, and other Asian countries. Symantec researchers identified an indicator of compromise (IOC) from observing an operation targeting an IT provider that serves multiple Asian countries. Prior research had determined that the threat actor uses “custom loaders hidden behind decoy documents and modified backdoors that have been around for quite some time,” which Symantec says is in line with what they’ve been seeing.

The Trochilus RAT is implemented in C++, and has been observed in use by hackers since 2015, with the source code available on GitHub. Symantec says that the capabilities of the Trojan include “the ability to remotely uninstall a file manager, and the ability to download, upload, and execute files,” among other things. The 9002 RAT has been around since at least 2009, with state-sponsored threat actors often being users of the malware. The Trojan is used for data exfiltration, and has been seen in use by a multitude of threat actors. The Gh0st RAT’s source code has been around since 2008 and has seen continued use by advanced persistent threat (APT) groups.