A Chinese cyber-espionage hacking group tracked as Budworm has been observed targeting a telecommunication firm in the Middle East and a government entity in Asia using a new variant of its custom ‘SysUpdate’ backdoor.
The SysUpdate malware is a remote access trojan (RAT) associated with Budworm (aka APT27 or Emissary Panda) since 2020, supporting Windows service, process, and file management, command execution, data retrieval, and screenshot capturing.
In March 2023, Trend Micro reported on a Linux variant of SysUpdate, which had been widely distributed in the wild since October 2022
The newest variant of the SysUpdate backdoor was spotted by Symantec’s Threat Hunter team, part of Broadcom, in the latest campaign that took place in August 2023.
Symantec reports the backdoor is deployed on victim systems via DLL sideloading leveraging the legitimate ‘INISafeWebSSO.exe’ executable.
The malicious DLL file used in Budworm attacks is identified as ‘inicore_v2.3.30.dll,’ planted in the working directory, so it’s launched before the legitimate version due to Windows search order hijacking.
By loading SysUpdate in the context of a legitimate program process, the attackers can evade detection from security tools running on the compromised host.
Along with SysUpdate, Symantec reports seeing several publicly available tools used in Budworm’s latest attacks, like AdFind, Curl, SecretsDump, and PasswordDumper.
These tools help the attackers perform various actions, including credential dumping, network mapping, spreading laterally on a compromised network, and stealing data.
Targeting telecommunication companies has become a common target among state-sponsored and APT hacking groups.
Over the past month, researchers have reported on other hacking groups breaching telecom companies to install custom malware named HTTPSnoop and LuaDream, with both malware infections providing backdoor access to the networks.
Past Budworm activities
Budworm has been active since 2013, targeting high-value entities in government, technology, defense, and other key sectors and industries.
In 2020, the threat group experimented with abusing the Windows BitLocker tool to encrypt the servers of several online gaming and gambling companies, likely to mask their true espionage intentions.
In early 2022, the German intelligence service warned about the activities of Budworm, highlighting the risk of supply chain attacks targeting valuable intellectual property holders in the country.
Later that year, Belgium’s Ministry of Foreign Affairs announced that several of the country’s defense and interior ministries had been targeted by the Chinese hackers.
In August 2022, SEKOIA reported that Budworm had set up fake sites targeting Chinese users that promoted a cross-platform instant messenger app called ‘MiMi.’
The installer files for the fake app infected targets with a new backdoor named ‘rshell,’ capable of stealing data from Linux and macOS systems.