NGEN IT Software

By Symantec / 20-12-2023

Budworm Strikes Again: APT Group Unleashes Updated SysUpdate Tool in Targeted Campaigns
Budworm
Cybersecurity
SysUpdate
APTHunting
TechSecurity

Symantec's Threat Hunter Team Uncovers Budworm's Latest Advanced Persistent Threat Tactics

In the ever-evolving landscape of cyber threats, the Budworm advanced persistent threat (APT) group has once again showcased its sophistication. In a recent campaign targeting a Middle Eastern telecommunications organization and an Asian government, Budworm deployed an updated version of its notorious SysUpdate backdoor, raising concerns among cybersecurity experts.

The Threat Hunter Team at Symantec, a division of Broadcom, discovered the new variant (SysUpdate DLL inicore_v2.3.30.dll) during the August 2023 attacks. Known by aliases such as LuckyMouse, Emissary Panda, and APT27, Budworm consistently demonstrates active development of its toolset.

Notably, the group employed various living-off-the-land and publicly available tools alongside its custom malware. The attacks seem to have been halted early in the chain, with credential harvesting being the primary malicious activity observed on infected machines.

Tools Used

Budworm executed SysUpdate through DLL sideloading, leveraging the legitimate INISafeWebSSO application. This technique, used by the group since at least 2018, exploits the DLL search order mechanism in Windows to plant and invoke a legitimate application, facilitating the execution of a malicious payload and aiding evasion of detection.

SysUpdate, a feature-rich backdoor, boasts capabilities such as service manipulation, screenshot capture, process management, drive information retrieval, file management, and command execution.

In a significant development reported by Trend Micro in March 2023, Budworm extended its reach by developing a Linux version of SysUpdate, matching the capabilities of its Windows counterpart. The group's consistent toolset development underscores its commitment to enhancing capabilities and avoiding detection.

Besides SysUpdate, Budworm utilized legitimate or publicly available tools for network mapping and credential dumping, including AdFind, Curl, SecretsDump, and PasswordDumper.

Budworm Background

Budworm, a long-standing APT group active since at least 2013, is notorious for targeting high-value victims, particularly in government, technology, and defense sectors. Past campaigns have reached countries across Southeast Asia, the Middle East, and the U.S. Symantec's Threat Hunter Team previously documented Budworm's activity in a U.S. state legislature network in October 2022, targeting government entities, a multinational electronics manufacturer, and a hospital in Southeast Asia.

The recent victims—a government in Asia and a telecommunications company in the Middle East—align with Budworm's typical targets, indicating the group's persistent focus on intelligence gathering. The use of known malware (SysUpdate) and familiar techniques like DLL sideloading suggests Budworm remains undeterred by the risk of detection.

The deployment of a previously unseen SysUpdate version in August 2023 reaffirms Budworm's commitment to active toolset development. Organizations of interest should be vigilant and stay abreast of Budworm's evolving tactics.

Protection/Mitigation

Stay informed with the latest protection updates by visiting the Symantec Protection Bulletin.

Indicators of Compromise

Symantec Endpoint products will detect and block any malicious files associated with Indicators of Compromise (IOCs) when available.

As Budworm's cyber threat tactics advance, vigilance is paramount. The recent deployment of an updated SysUpdate variant in targeted attacks emphasizes the APT group's unwavering commitment to refinement. Organizations must prioritize cybersecurity measures and stay informed about evolving threat landscapes. Symantec's ongoing monitoring and detection capabilities play a crucial role in thwarting such threats. For the latest protection updates and proactive defense, continuous collaboration with cybersecurity experts remains essential. As we navigate the ever-changing cyber terrain, a collective effort to enhance defenses is crucial in safeguarding against sophisticated threats like Budworm.
Your privacy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. You can get more information by going to our Privacy Policy or Statement in the footer of the website.

Strictly necessary cookies
Always active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Cookies details
Performance cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. Most of these cookies collect and process aggregated (anonymized) information without identifying individuals. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Cookies details
Functional cookies

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Cookies details
Targeting cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Cookies details