Government and telecom entities have faced a new wave of attacks by a China-linked threat actor tracked as Budworm using an updated malware toolset.
The intrusions, targeting a Middle Eastern telecommunications organization and an Asian government, occurred in August 2023, in which the rival deployed an enhanced version of its SysUpdate toolkit, the Symantec Threat Hunter team, part of Broadcom, said in a report.
Budworm, also referred to by the names APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, is known to be active since at least 2013, targeting a wide range of industry verticals in pursuit of its intelligence gathering goals.
The nation-state group leverages various tools such as China Chopper Web Shell, Gh0st RAT, HyperBro, PlugX, SysUpdate and ZXShell to exfiltrate high value information and maintain access to sensitive systems for long periods of time.
A previous report by SecureWorks in 2017 revealed the attacker’s propensity to gather defense, security and political intelligence from organizations around the world, portraying it as a formidable threat.
It has also been observed that vulnerable Internet-facing services are exploited to gain access to targeted networks. Earlier this March, Trend Micro highlighted a Linux version of SysUpdate, packed with capabilities to circumvent security software and resist reverse engineering.
The backdoor is feature-rich, making it possible to capture screenshots, terminate arbitrary processes, perform file operations, retrieve drive information, and execute commands.
“In addition to its custom malware, Budworm also used a variety of terrestrial and publicly available tools in these attacks,” Symantec said. “It appears that activity by the group may have been stopped early in the attack chain as the only malicious activity observed on infected machines is credential harvesting.”
With the latest development, Budworm joins the latest in the growing list of threat actors that have set their sights on the telecommunications sector in the Middle East, including previously undocumented clusters known as ShroudedSnooper and Sandman.
“SysUpdate has been used by Budworm since at least 2020, and it appears that attackers are constantly developing tools to improve their capabilities and evade detection.”
“Budworm continues to use a known malware (SysUpdate) with techniques it is known to prefer, such as DLL side-loading using an application it has previously used for this purpose . “This suggests that the group is not too concerned about the activity in question if it is discovered.”