Cyber Security News

New Bookworm Malware Using SLL Sideloading Technique To Windows

Cybersecurity researchers from Palo Alto Networks’ Unit 42 disclosed the resurgence of the Bookworm malware, which has been linked to the Stately Taurus threat actor group.

This malware employs a sophisticated DLL sideloading technique that enables it to infiltrate Windows systems effectively.

The research highlights overlaps between the infrastructure used by Stately Taurus and the Bookworm malware, revealing a continuity in tactics that has persisted since its initial discovery in 2015.

Emergence of Bookworm Malware Linked to Stately Taurus Group

The recent analysis indicates that Stately Taurus has been targeting organizations within the Association of Southeast Asian Nations (ASEAN).

The researchers observed that earlier attacks attributed to Stately Taurus utilized the PubLoad malware, which also employed DLL sideloading for payload execution.

The Bookworm malware’s connection to this group was previously unrecognized, but the latest findings confirm its usage by Stately Taurus in ongoing cyber-espionage efforts.

Technical Mechanisms of Bookworm Malware

The Bookworm malware operates by leveraging legitimate executables signed by automation organizations to load malicious payloads.

One such payload, identified as BrMod104.dll, is a variant of PubLoad that communicates with its command and control (C2) server.

Bookworm MalwareBookworm Malware
Code comparison between the original AES.dll ProgramStartup function to its contemporary.

Notably, this payload attempts to masquerade as a legitimate request associated with Windows updates by mimicking HTTP requests directed at Microsoft servers.

This obfuscation tactic underscores the advanced capabilities of the malware developers.

In addition to its sophisticated communication methods, the Bookworm malware exhibits a modular architecture that allows for flexibility in deployment.

This architecture enables it to adapt over time while maintaining core functionalities.

The latest iterations of Bookworm have shown minimal changes from earlier versions, indicating a robust design that continues to pose a significant threat.

The analysis further revealed overlaps between Bookworm and another backdoor variant known as ToneShell.

Both malware families share similar debug paths and infrastructure, suggesting they may have been developed by the same team.

This linkage reinforces concerns about coordinated cyber-espionage activities targeting government entities in Southeast Asia.

The resurgence of Bookworm malware highlights ongoing threats posed by advanced persistent threat (APT) groups like Stately Taurus.

Organizations must remain vigilant against such sophisticated attacks that exploit DLL sideloading techniques and utilize legitimate software signatures to evade detection.

Palo Alto Networks emphasizes the importance of employing advanced security measures, including machine learning-based detection and behavioral threat protection, to safeguard against these evolving threats.

As Bookworm continues to adapt and reemerge in various forms, proactive defense strategies will be crucial in mitigating potential impacts on targeted organizations.

The identification of Bookworm’s connection to Stately Taurus marks a significant development in understanding the tactics employed by cyber adversaries.

As these threats evolve, continuous monitoring and adaptation of cybersecurity defenses will be essential in protecting sensitive data and maintaining organizational integrity against sophisticated cyber-attacks.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

10 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

11 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

12 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

12 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

13 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

13 hours ago