Bookworm (9ff6e087-6755-447a-b537-8f06c7aa4a85)
Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components. Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Bookworm (1b8cfb29-7a63-459a-bc90-c9ea3634b21c) | Malpedia | Bookworm (9ff6e087-6755-447a-b537-8f06c7aa4a85) | Tool | 1 |