APT (Advanced Persistent Threat) actors are evolving at a rapid pace, continually enhancing their toolsets and tactics.
They adapt quickly to security measures, leveraging advanced techniques, such as zero-day exploits, to remain undetected.
Their ability to innovate and collaborate in the underground cybercriminal ecosystem makes tracking and countering APT threats an ongoing challenge for cybersecurity professionals.
Cybersecurity researchers at Symantec’s Threat Hunter Team recently discovered that Budworm APT group has evolved its toolset and is actively targeting the following entities:-
In August 2023, Budworm APT deployed a new variant of its exclusive SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll) in both attacks, which was previously unseen.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
New Custom Tools Used
Budworm employed custom and publicly available tools in these attacks, primarily focusing on credential harvesting. The group’s activity may have been suspended early in the attack chain.
Budworm employs DLL sideloading through INISafeWebSSO to execute SysUpdate on victim networks, a technique used by the group since 2018 to evade detection.
Besides this, SysUpdate offers several capabilities that we have mentioned below:-
- List services
- Start services
- Stop services
- Delete services
- Take screenshots
- Browse processes
- Terminate processes
- Drive information retrieval
- File management
- Command execution
Trend Micro reported about Budworm’s Linux SysUpdate with Windows-like capabilities in March 2023, which has been part of Budworm’s developing toolbox since 2020.
Here below, we have mentioned all the tools that the threat actors use:-
- AdFind
- Curl
- SecretsDump
- PasswordDumper
Budworm is a persistent APT group active since 2013 that targets high-value victims across sectors globally. Their activities include a U.S. state legislature breach in October 2022 using DLL sideloading for HyperBro malware.
In Budworm’s recent campaign, the group targeted an Asian government and a Middle Eastern telecom, as they are consistent with their typical intelligence-gathering focus.
Budworm’s use of known techniques and tools, like SysUpdate and DLL sideloading, signals their confidence despite detection risk.
The appearance of a new SysUpdate version in August 2023 indicates ongoing toolset development, suggesting their current activity.
IOCs
SHA256 file hashes
- c501203ff3335fbfc258b2729a72e82638719f60f7e6361fc1ca3c8560365a0e — Legitimate INISafeWebSSO application
- c4f7ec0c03bcacaaa8864b715eb617d5a86b5b3ca6ee1e69ac766773c4eb00e6 — SysUpdate backdoor
- 551397b680da0573a85423fbb0bd10dac017f061a73f2b8ebc11084c1b364466 — Password dumper
- df571c233c3c10462f4d88469bababe4c57c21a52cca80f2b1e1af848a2b4d23 — Hacktool
- c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 — SecretsDump
- f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e — AdFind
- ee9dfcea61282b4c662085418c7ad63a0cbbeb3a057b6c9f794bb32455c3a79e — Curl
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.