Bookworm
Description
(Palo Alto) Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components.
Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.
Names
| Name | Name-Giver |
|---|---|
| Bookworm | Palo Alto |
Country
Motivation
- Information theft and espionage
First Seen
2015
Observed Sectors
Observed Countries
Tools
Information
- https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/
- https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/
Other Information
Uuid
10591398-68de-4ce0-9427-d7cd32df1407
Last Card Change
2020-04-14