Chinese Hacker Group Budworm Deploys An Updated Custom Malware - 'SysUpdate'

Category: Threat Actor Activity | Industries: Government & Telecommunications | Source: Symantec

The Budworm advanced persistent threat (APT) group, also known as LuckyMouse, Emissary Panda, and APT27, has been actively enhancing its toolset for cyberattacks. Recently, Symantec's Threat Hunter Team uncovered this Chinese cyber-espionage group utilizing an updated variant of its 'SysUpdate backdoor' to target a Middle Eastern telecommunications organization and an Asian government agency in August 2023. SysUpdate is a custom backdoor exclusively employed by Budworm and has evolved to improve its capabilities and avoid detection.

Budworm displayed sophisticated techniques, when executing SysUpdate it leverages DLL sideloading through the legitimate INISafeWebSSO application. This method leverages Windows' DLL search order mechanism to implant and invoke a legitimate application that executes malicious code, enabling attackers to evade detection. The SysUpdate backdoor boasts numerous capabilities, such as service management, screenshot capture, process management, file operations, and command execution. Symantec notes various native and open-source tools, Budworm deploys include AdFind, Curl, SecretsDump and PasswordDumper. Symantec also reports activity captured from Budworm's intrusions is short-lived since "activity by the group may have been stopped early in the attack chain as the only malicious activity seen on infected machines is credential harvesting."

Budworm's history dates back to at least 2013, and they are notorious for targeting high-value victims, particularly in government, technology, and defense sectors across Southeast Asia, the Middle East, and beyond. This recent campaign reaffirms their focus on intelligence gathering, using known malware and preferred techniques, highlighting their active development of tools.