Attackers Abuse Security Products to Install “Bookworm” Trojan

While analyzing the activities of a threat group, researchers at network security firm Palo Alto Networks came across a new Trojan which they have dubbed “Bookworm.”

The threat, used by malicious actors in attacks against targets located in Thailand, is very similar to the notorious PlugX (Korplug) RAT, which has often been observed in the campaigns launched by Chinese advanced persistent threat (APT) actors. Experts initially believed the attackers had been using PlugX since the threats have similar behavior, but a closer analysis revealed that the new Trojan has a unique modular architecture.

According to Palo Alto Networks, Bookworm’s core is designed for capturing keystrokes and stealing the content of the clipboard. However, the threat can load additional modules from its command and control (C&C) server to expand its capabilities.

Based on the indicators of compromise (IoC) provided by the security firm, it appears the threat has been around since at least August.

The attackers have used an installer created with the Smart Installer Maker tool to hide the malware, either as a self-extracting RAR archive, or a Flash slideshow or installer. This dropper writes a legitimate executable, a DLL file named “Loader.dll,” and a file named “readme.txt” to the targeted system.

The legitimate executable dropped by the threat is a component of Kaspersky Anti-Virus (ushata.exe) or a component of Microsoft Security Essentials (MsMpEng.exe). These executables are used to perform DLL side-loading and load “Loader.dll.”

Loader.dll then decrypts the “readme.txt” file to deploy a shellcode, which in turn decrypts Bookworm’s main component (Leader.dll) and various other DLLs. Experts have pointed out that these DLL files, each designed to provide specific functionality, are not written to the disk — the malware operates only in the memory.

These modules, which provide API functions for the main module, are used for various purposes, including encrypting and decrypting data, and communicating and interacting with the C&C server.

Bookworm can also use other modules obtained from the C&C server, but Palo Alto Networks says it hasn’t spotted additional modules being provided to the malware by its C&C server.

“The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server,” Palo Alto researchers wrote in a blog post. “Not only is this tool highly capable, but it also requires a very high level of effort to analyze due to its modular architecture and its use of API functions within the additional modules. We believe that it is likely threat actors will continue development Bookworm, and will continue to use it for the foreseeable future.”

Palo Alto Networks has not shared any information on who might be behind the attack and the entities targeted by the threat actor. The security firm has promised to provide details on these aspects in a later report.