Customized Malware to Attack Areospace Industry

Cyber Intelligence Report

Executive Summary

In 2017, a new cyber threat actor called Webworm began targeting government networks in Asia with customized malware. To date, the group has attacked networks in Russia, Mongolia, and several other countries in the region. The industries targeted include energy, IT services, and aerospace. Webworm's ultimate goal is to take control of networks, steal information, or gain access to computers. This is a significant problem for the affected countries because it exposes them to potentially malicious software. One possible solution is for these countries to rethink their use of vulnerable Windows-based systems and move to more secure operating systems. This would help to mitigate the risk posed by Webworm and other cyber threat actors.

Actor

Webworm is a threat actor who has been active since 2017, particularly among Asian countries.

Targets

Webworm has primarily targeted Asian governments, agencies and industries, from IT services industries to aerospace and electric power plants everywhere from Russia to Mongolia. According to Broadcom Software, Webworm is using Windows-based remote access Trojans to compromise IT service providers.

Intentions

The intentions of the group are unclear, but the actions speak for themselves. Remote access trojans (RATs) are a type of malware that allows attackers to gain control of a victim’s computer. RATs can be used to steal sensitive information, install other malicious software, or even hijack the victim's webcam. Although RATs are often used by cybercriminals, they can also be employed by government agencies and other entities for surveillance and other purposes. Because of the significant risks posed by RATs, it is important for users to be aware of the dangers they pose and take steps to protect themselves from these threats.

Tools/Malware

The cyber threat actor tends to use dropper malware, which employs a loader that launches remote access Trojans that can then be used to take over targeted networks. Webworm will gain access by using decoy documents to avoid being detected. The actions of Webworm appear similar to those of Space Pirates, another cyber threat group, which has suggested to some that the two groups are really the same. The attacker uses a customized form of older malware versions, such as Trochilus and Gh0st. This makes it easier for the group to hide its tracks as well.

Trochilus is a RAT that was first discovered in 2013. It is notable for its ability to automatically update itself, making it difficult to detect and remove. Gh0st is another type of RAT that has been around for much longer; it was first discovered in 2006. Gh0st is often used by attackers to establish a persistent presence on a victim's system, as it can re-infect a system even after it has been removed.

Another variant used by Webworm is the 9002 RAT,which is a particularly dangerous RAT that has been used in a number of high-profile attacks. The 9002 RAT is difficult to detect and remove, and it allows attackers to gain full control of the victim's device. As a result, victims of the 9002 RAT can be left vulnerable to a range of malicious activity.

Both Trochilus and Gh0st are dangerous types of RATs, as is 9002, and all three can be used to steal sensitive information or enable remote access to a victim's computer. If one suspects that a computer may be infected with either of these RATs, it is important to seek professional help immediately.