NGEN IT Software

By Symantec / 20-12-2023

Budworm Strikes Again: APT Group Unleashes Updated SysUpdate Tool in Targeted Campaigns
Budworm
Cybersecurity
SysUpdate
APTHunting
TechSecurity

Symantec's Threat Hunter Team Uncovers Budworm's Latest Advanced Persistent Threat Tactics

In the ever-evolving landscape of cyber threats, the Budworm advanced persistent threat (APT) group has once again showcased its sophistication. In a recent campaign targeting a Middle Eastern telecommunications organization and an Asian government, Budworm deployed an updated version of its notorious SysUpdate backdoor, raising concerns among cybersecurity experts.

The Threat Hunter Team at Symantec, a division of Broadcom, discovered the new variant (SysUpdate DLL inicore_v2.3.30.dll) during the August 2023 attacks. Known by aliases such as LuckyMouse, Emissary Panda, and APT27, Budworm consistently demonstrates active development of its toolset.

Notably, the group employed various living-off-the-land and publicly available tools alongside its custom malware. The attacks seem to have been halted early in the chain, with credential harvesting being the primary malicious activity observed on infected machines.

Tools Used

Budworm executed SysUpdate through DLL sideloading, leveraging the legitimate INISafeWebSSO application. This technique, used by the group since at least 2018, exploits the DLL search order mechanism in Windows to plant and invoke a legitimate application, facilitating the execution of a malicious payload and aiding evasion of detection.

SysUpdate, a feature-rich backdoor, boasts capabilities such as service manipulation, screenshot capture, process management, drive information retrieval, file management, and command execution.

In a significant development reported by Trend Micro in March 2023, Budworm extended its reach by developing a Linux version of SysUpdate, matching the capabilities of its Windows counterpart. The group's consistent toolset development underscores its commitment to enhancing capabilities and avoiding detection.

Besides SysUpdate, Budworm utilized legitimate or publicly available tools for network mapping and credential dumping, including AdFind, Curl, SecretsDump, and PasswordDumper.

Budworm Background

Budworm, a long-standing APT group active since at least 2013, is notorious for targeting high-value victims, particularly in government, technology, and defense sectors. Past campaigns have reached countries across Southeast Asia, the Middle East, and the U.S. Symantec's Threat Hunter Team previously documented Budworm's activity in a U.S. state legislature network in October 2022, targeting government entities, a multinational electronics manufacturer, and a hospital in Southeast Asia.

The recent victims—a government in Asia and a telecommunications company in the Middle East—align with Budworm's typical targets, indicating the group's persistent focus on intelligence gathering. The use of known malware (SysUpdate) and familiar techniques like DLL sideloading suggests Budworm remains undeterred by the risk of detection.

The deployment of a previously unseen SysUpdate version in August 2023 reaffirms Budworm's commitment to active toolset development. Organizations of interest should be vigilant and stay abreast of Budworm's evolving tactics.

Protection/Mitigation

Stay informed with the latest protection updates by visiting the Symantec Protection Bulletin.

Indicators of Compromise

Symantec Endpoint products will detect and block any malicious files associated with Indicators of Compromise (IOCs) when available.

As Budworm's cyber threat tactics advance, vigilance is paramount. The recent deployment of an updated SysUpdate variant in targeted attacks emphasizes the APT group's unwavering commitment to refinement. Organizations must prioritize cybersecurity measures and stay informed about evolving threat landscapes. Symantec's ongoing monitoring and detection capabilities play a crucial role in thwarting such threats. For the latest protection updates and proactive defense, continuous collaboration with cybersecurity experts remains essential. As we navigate the ever-changing cyber terrain, a collective effort to enhance defenses is crucial in safeguarding against sophisticated threats like Budworm.
close
Your privacy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. You can get more information by going to our Privacy Policy or Statement in the footer of the website.

All RFQ Product Added In Query!

Check all added RFQ in one place, hit the button to show all added RFQ.

Submit RFQ