In the ever-evolving landscape of cyber threats, the Budworm advanced persistent threat (APT) group has once again showcased its sophistication. In a recent campaign targeting a Middle Eastern telecommunications organization and an Asian government, Budworm deployed an updated version of its notorious SysUpdate backdoor, raising concerns among cybersecurity experts.
The Threat Hunter Team at Symantec, a division of Broadcom, discovered the new variant (SysUpdate DLL inicore_v2.3.30.dll) during the August 2023 attacks. Known by aliases such as LuckyMouse, Emissary Panda, and APT27, Budworm consistently demonstrates active development of its toolset.
Notably, the group employed various living-off-the-land and publicly available tools alongside its custom malware. The attacks seem to have been halted early in the chain, with credential harvesting being the primary malicious activity observed on infected machines.
Tools Used
Budworm executed SysUpdate through DLL sideloading, leveraging the legitimate INISafeWebSSO application. This technique, used by the group since at least 2018, exploits the DLL search order mechanism in Windows to plant and invoke a legitimate application, facilitating the execution of a malicious payload and aiding evasion of detection.
SysUpdate, a feature-rich backdoor, boasts capabilities such as service manipulation, screenshot capture, process management, drive information retrieval, file management, and command execution.
In a significant development reported by Trend Micro in March 2023, Budworm extended its reach by developing a Linux version of SysUpdate, matching the capabilities of its Windows counterpart. The group's consistent toolset development underscores its commitment to enhancing capabilities and avoiding detection.
Besides SysUpdate, Budworm utilized legitimate or publicly available tools for network mapping and credential dumping, including AdFind, Curl, SecretsDump, and PasswordDumper.
Budworm Background
Budworm, a long-standing APT group active since at least 2013, is notorious for targeting high-value victims, particularly in government, technology, and defense sectors. Past campaigns have reached countries across Southeast Asia, the Middle East, and the U.S. Symantec's Threat Hunter Team previously documented Budworm's activity in a U.S. state legislature network in October 2022, targeting government entities, a multinational electronics manufacturer, and a hospital in Southeast Asia.
The recent victims—a government in Asia and a telecommunications company in the Middle East—align with Budworm's typical targets, indicating the group's persistent focus on intelligence gathering. The use of known malware (SysUpdate) and familiar techniques like DLL sideloading suggests Budworm remains undeterred by the risk of detection.
The deployment of a previously unseen SysUpdate version in August 2023 reaffirms Budworm's commitment to active toolset development. Organizations of interest should be vigilant and stay abreast of Budworm's evolving tactics.
Protection/Mitigation
Stay informed with the latest protection updates by visiting the Symantec Protection Bulletin.
Indicators of Compromise
Symantec Endpoint products will detect and block any malicious files associated with Indicators of Compromise (IOCs) when available.
