Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Abuse Security Products to Install “Bookworm” Trojan

While analyzing the activities of a threat group, researchers at network security firm Palo Alto Networks came across a new Trojan which they have dubbed “Bookworm.”

While analyzing the activities of a threat group, researchers at network security firm Palo Alto Networks came across a new Trojan which they have dubbed “Bookworm.”

The threat, used by malicious actors in attacks against targets located in Thailand, is very similar to the notorious PlugX (Korplug) RAT, which has often been observed in the campaigns launched by Chinese advanced persistent threat (APT) actors. Experts initially believed the attackers had been using PlugX since the threats have similar behavior, but a closer analysis revealed that the new Trojan has a unique modular architecture.

According to Palo Alto Networks, Bookworm’s core is designed for capturing keystrokes and stealing the content of the clipboard. However, the threat can load additional modules from its command and control (C&C) server to expand its capabilities.

Based on the indicators of compromise (IoC) provided by the security firm, it appears the threat has been around since at least August.

The attackers have used an installer created with the Smart Installer Maker tool to hide the malware, either as a self-extracting RAR archive, or a Flash slideshow or installer. This dropper writes a legitimate executable, a DLL file named “Loader.dll,” and a file named “readme.txt” to the targeted system.

The legitimate executable dropped by the threat is a component of Kaspersky Anti-Virus (ushata.exe) or a component of Microsoft Security Essentials (MsMpEng.exe). These executables are used to perform DLL side-loading and load “Loader.dll.”

Loader.dll then decrypts the “readme.txt” file to deploy a shellcode, which in turn decrypts Bookworm’s main component (Leader.dll) and various other DLLs. Experts have pointed out that these DLL files, each designed to provide specific functionality, are not written to the disk — the malware operates only in the memory.

These modules, which provide API functions for the main module, are used for various purposes, including encrypting and decrypting data, and communicating and interacting with the C&C server.

Advertisement. Scroll to continue reading.

Bookworm can also use other modules obtained from the C&C server, but Palo Alto Networks says it hasn’t spotted additional modules being provided to the malware by its C&C server.

“The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server,” Palo Alto researchers wrote in a blog post. “Not only is this tool highly capable, but it also requires a very high level of effort to analyze due to its modular architecture and its use of API functions within the additional modules. We believe that it is likely threat actors will continue development Bookworm, and will continue to use it for the foreseeable future.”

Palo Alto Networks has not shared any information on who might be behind the attack and the entities targeted by the threat actor. The security firm has promised to provide details on these aspects in a later report.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights