A recent Symantec has indicated that Palmerworm attacked are on the rise for the first time since 2013.

It was recently discovered that the malware has had more persistent activity in 2020 and even remained on an unnamed corporate network for almost six months. Hackers behind Palmerworm have added new malware to the advanced persistent threat (APT) aimed at mainstream media and financial groups in the US, Japan, Taiwan, US, and China.

Even though Symantec was unable to discover the initial attack vector, it is thought that these attacks have begun with a phishing campaign. Palmerworm uses a unique approach to fooling users into running malicious content. Included in the malware is stolen signed certificates making users believe that the software is genuine.

Code-signing is a way to inform operating systems and users who developed the software. When users attempt to download software, the operating system shows the publisher. The publisher employs a signing method using specific keys only available to the publisher. An example of a code-signing message is included here:


In this image, the user can see that the publisher is Microsoft and will allow the program to be installed. Palmerworm authors use stolen code-signing keys to sign software, which makes it highly likely that users will install the malware.

Palmerworm uses custom malware and some freely available software to send the payload. The malware is a group of backdoors giving the hackers access to the network and allows them to remain on a corporate network even after administrators think that it’s been deleted.

The custom malware sent with Palmerworm are:

  • Backdoor.Consock
  • Backdoor.Waship
  • Backdoor.Dalwit
  • Backdoor.Nomri

The software included that assist Palmerworm install and scan the network includes:

  • Putty – gives hackers remote access
  • PSExec – used to run commands on a Windows network
  • SNScan – Scans the network to find other possible targets.
  • WinRAR – archiving tool to transfer data to the hacker, hide malware and extract it to a new target.

The backdoor malware gives hackers a high level of access across devices. Once an attacker has full management of one device, the malware can be shared across other devices on the network.  The network reconnaissance and administration tools assist the hacker find additional vulnerable devices so that backdoors and remote control can be created.

Palmerworm is not a new advanced persistent threat. It has been inexistence since 2013, so strong anti-malware programs can detect and prevent the backdoors from downloading to a device. Groups with enterprise-level anti-malware should have it downloaded on all devices including desktops and mobile devices.

As it’s presumed that Palmerworm starts with a phishing campaign, it’s even more important than ever to use email filters. Content filters will also prevent users from accessing malicious sites where hackers could host Palmerworm malware and trick users into installing it. Email filters will prevent malicious emails with attachments that could contain Palmerworm malware or macros that will download it form an hacker-controlled server.

Training users on the dangers of phishing and identifying red flags linked with phishing also helps. Users with adequate education are less likely to install malicious content or open attachments. They will also be aware of suspicious links from unknown senders.

TitanHQ supplies a cloud-based solution for email filters that blocks Palmerworm and other advanced persistent attacks. By implementing the cloud-based WebTitan platform, your organization will be safeguarded from Palmerworm and other web-based attacks that need users to initially access a hacker-controlled site where malware can be downloaded and downloaded.