🇨🇳

Bookworm

APT Group Information theft and espionage ETDA ✓

Also Known As

No alias recorded

Target Countries 41

Countries highlighted in red

Argentina Australia Bangladesh Belgium Bulgaria China Cyprus Germany Spain Ethiopia France United Kingdom Greece Hong Kong Hungary Indonesia India Italy Japan Cambodia Republic of Korea Liberia Myanmar Mongolia Malaysia Nigeria Nepal Philippines Pakistan Russian Federation Saudi Arabia Sweden Singapore Slovakia South Sudan Thailand Province of China Taiwan Ukraine United States Vietnam South Africa

Sectors Targeted

Data Processing, Hosting, and Related Services 51821 Law enforcement Legal Services 5411 Pharmaceutical and Medicine Manufacturing 32541 Offices of Lawyers 541110 Finance and Insurance 52 Newspaper Publishers 51111 Aviation Plastics Product Manufacturing 3261 Education Computer Systems Design and Related Services 54151 Government NGOs Public Administration 92 The Vatican and Catholic Church-related organizations Think Tanks Research and Development in the Social Sciences and Humanities 54172 Periodical Publishers 51112 Computer Systems Design Services 541512 Religious Organizations 8131 Promoters of Performing Arts, Sports, and Similar Events 7113 Healthcare Telecommunications Hospitals 622 Civic and Social Organizations 8134

Details

Origin 🇨🇳 CN

Last Updated 11 May 2024

Malware Families 8

ccleaner_backdoor

sorgu

unidentified_075

zhmimikatz

win.shadow_rat

NewCore

darkstrat

win.sadbridge

MITRE ATT&CK 156

T1001 T1001.003 T1003 T1003.001 T1003.003 T1003.006 T1005 T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1018 T1027 - Obfuscated Files or Information T1027.007 T1027.012 T1027.013 T1027.016 T1030 T1033 - System Owner/User Discovery T1036 - Masquerading T1036.003 - Rename System Utilities T1036.004 - Masquerade Task or Service T1036.005 T1036.007 T1036.008 T1037 - Boot or Logon Initialization Scripts T1041 T1046 T1047 T1048 T1048.003 T1049 - System Network Connections Discovery T1052 T1052.001 T1053 T1053.005 T1055 - Process Injection T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1059.005 T1059.007 T1068 - Exploitation for Privilege Escalation T1069 T1069.002 T1070 - Indicator Removal on Host T1070.004 T1070.006 T1071 T1071.001 - Web Protocols T1072 T1074 T1074.001 T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 T1087.002 T1090 T1090.003 - Multi-hop Proxy T1091 T1095 T1102 T1102.002 - Bidirectional Communication T1105 - Ingress Tool Transfer T1106 - Native API T1110 - Brute Force T1112 - Modify Registry T1113 - Screen Capture T1119 T1124 - System Time Discovery T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - MSBuild T1129 T1132.001 - Standard Encoding T1134 - Access Token Manipulation T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1176.002 T1189 - Drive-by Compromise T1203 T1204 - User Execution T1204.001 T1204.002 - Malicious File T1205 T1218 - Signed Binary Proxy Execution T1218.004 T1218.005 - Mshta T1218.007 T1218.014 T1219 T1219.001 T1219.002 T1480 T1489 - Service Stop T1490 - Inhibit System Recovery T1497 - Virtualization/Sandbox Evasion T1505 - Server Software Component T1505.003 T1518 T1528 - Steal Application Access Token T1530 - Data from Cloud Storage Object T1539 T1543 - Create or Modify System Process T1546 T1546.003 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1553 - Subvert Trust Controls T1553.002 - Code Signing T1557 T1557.002 T1560 - Archive Collected Data T1560.001 T1560.003 T1562 - Impair Defenses T1564 T1564.001 T1566 - Phishing T1566.001 T1566.002 T1567 T1567.002 T1569 - System Services T1572 T1573 - Encrypted Channel T1573.001 T1573.002 - Asymmetric Cryptography T1574 - Hijack Execution Flow T1574.001 - DLL Search Order Hijacking T1574.002 - DLL Side-Loading T1574.005 T1583 T1583.001 T1583.006 T1585 T1585.002 T1586 T1586.002 T1587 T1587.001 T1588 T1588.001 T1588.002 - Tool T1588.003 T1588.004 T1593 T1598 T1598.003 T1608 T1608.001 T1608.004 T1608.005 T1622 T1654 T1678

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

Bookworm Palo Alto

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

Thailand

Description

(Palo Alto) Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components. Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.

Tools Used 5

Bookworm FormerFirstRAT Poison Ivy PlugX Scieron

Reports & References 2

https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/ https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/

ETDA Profile

Bookworm

Origin

China

First Seen 2015

Motivation

Information theft and espionage

View on ETDA APT Groups ↗