New Bookworm Malware Using SLL Sideloading Technique To Windows

Cybersecurity researchers from Palo Alto Networks’ Unit 42 disclosed the resurgence of the Bookworm malware, which has been linked to the Stately Taurus threat actor group.

This malware employs a sophisticated DLL sideloading technique that enables it to infiltrate Windows systems effectively.

The research highlights overlaps between the infrastructure used by Stately Taurus and the Bookworm malware, revealing a continuity in tactics that has persisted since its initial discovery in 2015.

Emergence of Bookworm Malware Linked to Stately Taurus Group

The recent analysis indicates that Stately Taurus has been targeting organizations within the Association of Southeast Asian Nations (ASEAN).

The researchers observed that earlier attacks attributed to Stately Taurus utilized the PubLoad malware, which also employed DLL sideloading for payload execution.

The Bookworm malware’s connection to this group was previously unrecognized, but the latest findings confirm its usage by Stately Taurus in ongoing cyber-espionage efforts.

Technical Mechanisms of Bookworm Malware

The Bookworm malware operates by leveraging legitimate executables signed by automation organizations to load malicious payloads.

One such payload, identified as BrMod104.dll, is a variant of PubLoad that communicates with its command and control (C2) server.

Notably, this payload attempts to masquerade as a legitimate request associated with Windows updates by mimicking HTTP requests directed at Microsoft servers.

This obfuscation tactic underscores the advanced capabilities of the malware developers.

In addition to its sophisticated communication methods, the Bookworm malware exhibits a modular architecture that allows for flexibility in deployment.

This architecture enables it to adapt over time while maintaining core functionalities.

The latest iterations of Bookworm have shown minimal changes from earlier versions, indicating a robust design that continues to pose a significant threat.

The analysis further revealed overlaps between Bookworm and another backdoor variant known as ToneShell.

Both malware families share similar debug paths and infrastructure, suggesting they may have been developed by the same team.

This linkage reinforces concerns about coordinated cyber-espionage activities targeting government entities in Southeast Asia.

The resurgence of Bookworm malware highlights ongoing threats posed by advanced persistent threat (APT) groups like Stately Taurus.

Organizations must remain vigilant against such sophisticated attacks that exploit DLL sideloading techniques and utilize legitimate software signatures to evade detection.

Palo Alto Networks emphasizes the importance of employing advanced security measures, including machine learning-based detection and behavioral threat protection, to safeguard against these evolving threats.

As Bookworm continues to adapt and reemerge in various forms, proactive defense strategies will be crucial in mitigating potential impacts on targeted organizations.

The identification of Bookworm’s connection to Stately Taurus marks a significant development in understanding the tactics employed by cyber adversaries.

As these threats evolve, continuous monitoring and adaptation of cybersecurity defenses will be essential in protecting sensitive data and maintaining organizational integrity against sophisticated cyber-attacks.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here