Government and telecommunications entities have been subjected to a new wave of attacks by a China-linked threat actor tracked as budworm using an updated malware toolset.
The intrusions, targeting a Middle Eastern telecommunications organization and an Asian government, took place in August 2023, and the adversary deployed an improved version of its SysUpdate toolkit, Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker. News.
Budworm, also known by the names APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse and Red Phoenix, is known to be active since at least 2013, targeting a wide range of industry verticals in pursuit of its marketing goals. intelligence gathering. .
The nation-state group leverages various tools such as China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate and ZXShell to exfiltrate high-value information and maintain access to sensitive systems for a long period of time.
A previous SecureWorks report from 2017 revealed the attacker’s penchant for collecting political, security and defense intelligence from organizations around the world, characterizing him as a formidable threat.
It has also been observed to exploit vulnerable Internet-connected services to gain access to specific networks. In early March, Trend Micro shed light on the Linux version of SysUpdate, which includes capabilities to bypass security software and resist reverse engineering.
The backdoor is feature-rich, allowing you to take screenshots, kill arbitrary processes, perform file operations, recover drive information, and execute commands.
“In addition to its custom malware, Budworm also used a variety of publicly available tools in these attacks,” Symantec said. “It appears that the group’s activity may have been stopped early in the attack chain, as the only malicious activity observed on the infected machines is credential harvesting.”
With the latest development, Budworm is the new addition to a growing list of threat actors that have set their sights on the telecommunications sector in the Middle East, including previously undocumented groups called ShroudedSnooper and Sandman.
“Budworm has used SysUpdate since at least 2020, and attackers appear to continually develop the tool to improve its capabilities and avoid detection.”
“The fact that Budworm continues to use a known malware (SysUpdate), along with techniques it is known to prefer, such as sideloading DLLs using an application it has previously used for this purpose, indicates that the group is not overly concerned about have this activity associated with it if it is discovered.”