A Chinese cyber-espionage group known as Budworm has been detected in the act of targeting a telecommunications company in the Middle East and a governmental organization in Asia. They are employing a fresh variation of their custom-designed ‘SysUpdate’ backdoor malware.
The SysUpdate malware is categorized as a remote access trojan (RAT) and has been associated with Budworm, also known as APT27 or Emissary Panda, since 2020. This malware enables the group to manage Windows services, processes, and files, execute commands, retrieve data, and capture screenshots.
In March 2023, Trend Micro reported on a Linux variant of SysUpdate, which had been widely circulated in the cyber landscape since October 2022.
The latest version of the SysUpdate backdoor was recently identified by Symantec’s Threat Hunter team, a division of Broadcom. This discovery was made during a campaign that took place in August 2023.
Symantec reports that this backdoor is introduced into victim systems through DLL sideloading, using the legitimate ‘INISafeWebSSO.exe’ executable. The malicious DLL file, used in Budworm attacks, is named ‘inicore_v2.3.30.dll’ and is placed in the working directory. This ensures that it is launched before the legitimate version due to Windows search order manipulation. By executing SysUpdate within the context of a genuine program process, the attackers can avoid detection by security tools operating on the compromised host.
Additionally, Symantec has observed the use of several publicly available tools in Budworm’s recent attacks, such as AdFind, Curl, SecretsDump, and PasswordDumper. These tools enable the hackers to carry out various actions, including stealing credentials, mapping networks, spreading laterally within compromised networks, and exfiltrating data.
Telecommunications companies have become a common target for state-sponsored and advanced persistent threat (APT) hacking groups. In the last month, researchers have reported on other hacking groups breaching telecom firms to implant custom malware named HTTPSnoop and LuaDream, both of which provide illicit access to the networks.
Budworm has been active since 2013, with a history of targeting high-value entities in government, technology, defense, and other critical sectors. In 2020, they experimented with exploiting the Windows BitLocker tool to encrypt servers of online gaming and gambling companies, potentially to conceal their true espionage objectives.
Early in 2022, Germany’s intelligence service issued a warning about Budworm’s activities, emphasizing the risk of supply chain attacks aimed at valuable intellectual property holders in the country. Later that year, Belgium’s Ministry of Foreign Affairs disclosed that several of its defense and interior ministries had fallen victim to Chinese hackers.
In August 2022, SEKOIA reported that Budworm had established counterfeit websites targeting Chinese users to promote a cross-platform instant messaging app named ‘MiMi.’ The installer files for this phony app contained a new backdoor called ‘rshell,’ capable of pilfering data from Linux and macOS systems.