Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Abuse Security Products to Install “Bookworm” Trojan

While analyzing the activities of a threat group, researchers at network security firm Palo Alto Networks came across a new Trojan which they have dubbed “Bookworm.”

While analyzing the activities of a threat group, researchers at network security firm Palo Alto Networks came across a new Trojan which they have dubbed “Bookworm.”

The threat, used by malicious actors in attacks against targets located in Thailand, is very similar to the notorious PlugX (Korplug) RAT, which has often been observed in the campaigns launched by Chinese advanced persistent threat (APT) actors. Experts initially believed the attackers had been using PlugX since the threats have similar behavior, but a closer analysis revealed that the new Trojan has a unique modular architecture.

According to Palo Alto Networks, Bookworm’s core is designed for capturing keystrokes and stealing the content of the clipboard. However, the threat can load additional modules from its command and control (C&C) server to expand its capabilities.

Based on the indicators of compromise (IoC) provided by the security firm, it appears the threat has been around since at least August.

The attackers have used an installer created with the Smart Installer Maker tool to hide the malware, either as a self-extracting RAR archive, or a Flash slideshow or installer. This dropper writes a legitimate executable, a DLL file named “Loader.dll,” and a file named “readme.txt” to the targeted system.

The legitimate executable dropped by the threat is a component of Kaspersky Anti-Virus (ushata.exe) or a component of Microsoft Security Essentials (MsMpEng.exe). These executables are used to perform DLL side-loading and load “Loader.dll.”

Loader.dll then decrypts the “readme.txt” file to deploy a shellcode, which in turn decrypts Bookworm’s main component (Leader.dll) and various other DLLs. Experts have pointed out that these DLL files, each designed to provide specific functionality, are not written to the disk — the malware operates only in the memory.

Advertisement. Scroll to continue reading.

These modules, which provide API functions for the main module, are used for various purposes, including encrypting and decrypting data, and communicating and interacting with the C&C server.

Bookworm can also use other modules obtained from the C&C server, but Palo Alto Networks says it hasn’t spotted additional modules being provided to the malware by its C&C server.

“The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server,” Palo Alto researchers wrote in a blog post. “Not only is this tool highly capable, but it also requires a very high level of effort to analyze due to its modular architecture and its use of API functions within the additional modules. We believe that it is likely threat actors will continue development Bookworm, and will continue to use it for the foreseeable future.”

Palo Alto Networks has not shared any information on who might be behind the attack and the entities targeted by the threat actor. The security firm has promised to provide details on these aspects in a later report.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...