In the ever-evolving landscape of cyber threats, a persistent and formidable adversary has once again emerged on the radar of cybersecurity experts. Known as Budworm, this Chinese cyber-espionage group, also referred to as APT27 or Emissary Panda, has resurfaced with a new variant of its custom 'SysUpdate' backdoor. Their latest campaign, which took place in August 2023, has raised concerns as they targeted a telecommunication firm in the Middle East and a government entity in Asia. In this blog, we'll delve into the details of Budworm's activities, their evolving tactics, and the implications for cybersecurity.
Budworm has been a prominent player in the realm of cyber-espionage since 2013. Over the years, they have demonstrated a consistent ability to target high-value entities, including government organizations, technology firms, defense contractors, and other critical sectors. Their tenacity is evident in their persistence and adaptability in the face of evolving cybersecurity measures.
At the heart of Budworm's recent campaign is the SysUpdate malware, a remote access trojan (RAT) that has been associated with the group since 2020. This malware is a versatile tool, enabling the hackers to perform a wide range of malicious activities, including Windows service and file management, command execution, data retrieval, and even capturing screenshots. What sets this campaign apart is the emergence of a Linux variant of SysUpdate, which was first reported by Trend Micro in March 2023. This Linux variant has been circulating since October 2022, further expanding Budworm's capabilities and reach.
One of the key techniques employed by Budworm in this campaign is DLL sideloading, a method that leverages a legitimate executable named 'INISafeWebSSO.exe' to deploy their backdoor. The malicious DLL file, 'inicore_v2.3.30.dll,' is placed in the working directory, ensuring that it is launched before the legitimate version due to Windows search order hijacking. This clever tactic allows Budworm to avoid detection by security tools running on compromised hosts, highlighting the group's sophistication.
In addition to SysUpdate, Budworm's arsenal includes various publicly available tools such as AdFind, Curl, SecretsDump, and PasswordDumper. These tools serve multiple purposes, including credential dumping, network mapping, lateral movement within compromised networks, and data theft. This wide array of tools underscores the group's capability to execute complex and multifaceted attacks.
Targeting telecommunication companies has become a common objective among state-sponsored and APT hacking groups. Budworm's recent activities align with this trend, as they seek to infiltrate and compromise these critical infrastructure providers. In recent months, other hacking groups have also breached telecom firms, installing custom malware with backdoor access capabilities, further underscoring the value of these targets to cyber adversaries.
Despite periodic warnings and alerts from cybersecurity agencies worldwide, Budworm remains a persistent and audacious threat. Their activities have extended to supply chain attacks, utilizing tools like Windows BitLocker for encrypting servers to mask their espionage intentions. Various nations and organizations have fallen victim to Budworm's espionage, with high-profile targets including Germany's intellectual property holders and Belgium's defense and interior ministries.
The resurgence of Budworm, with their latest SysUpdate variant and diverse toolset, underscores the ever-present need for vigilance in the world of cybersecurity. Their ability to adapt, evolve, and target critical infrastructure highlights the sophistication of state-sponsored hacking groups. As organizations and nations strive to protect their digital assets, it is imperative to remain informed about evolving threats and employ robust cybersecurity measures to mitigate the risks posed by adversaries like Budworm.