New Backdoors Discovered
Researchers have identified two new custom backdoors deployed by the China aligned threat actor tracked as Webworm. The malware, named EchoCreep and GraphWorm, represents a notable evolution in the group’s tactics. EchoCreep uses Discord for command and control communications, while GraphWorm relies on the Microsoft Graph API for the same purpose. The findings were reported by cybersecurity firm ESET.
Expanding Operations
Webworm has been active since at least 2022, historically targeting government agencies and enterprises in Russia, Georgia, Mongolia, and several Asian nations. The group’s targets have included the IT services, aerospace, and electric power sectors. In recent years, the threat actor has shifted away from traditional remote access trojans toward custom proxy tools designed for stealth. The group now appears to be expanding its focus to European countries, including governmental organizations in Belgium, Italy, Serbia, Poland, and Spain.
Infrastructure Tactics
The attackers are using a GitHub repository that impersonates a WordPress fork as a staging ground for malware and tools. This repository hosts utilities like SoftEther VPN, a technique commonly used by several Chinese hacking groups to blend in with legitimate network traffic. The discovery of EchoCreep and GraphWorm marks a significant expansion of Webworm’s arsenal as the group continues to evolve its methods.
Source: The Hacker News
