APT27, aka Iron Tiger or Bronze Union, is continuously updating its arsenal of malicious tools. Recently, researchers identified a Linux variant of its custom RAT, SysUpdate. This malware is reportedly in use since 2019 and was updated in April 2021 with new infection routines.
Linux variant of SysUpdate
According to Trend Micro, the adversary completed and tested this variant in July 2022. However, it was not used in attacks before October 2022.
- The new variant is functionally similar to the Windows variant, with only two notable differences.
- The code structure is now changed to use the ASIO C++ asynchronous library and the C++ run-time type information (RTTI) classes have been removed.
- Both these changes make reverse engineering a bit complex and are considered possible attempts to make its analysis difficult.
How the campaign works
The attacker has used both Windows and Linux variants to attack the same targets, including a gambling company based in the Philippines.
- Experts reveal APT27 used the chat app Youdu (possibly rebranded as i Talk by attackers) to send malicious links to the employees, luring them into downloading the initial infection payloads. This is consistent with the group’s TTPs in past attacks.
- In addition, this campaign uses a genuine Microsoft Resource Compiler signed file. This file, vulnerable to DLL sideloading, loads a file named rc[.]dll. Attackers abuse this to load the first-stage payload in memory.
- Depending upon the process permission, it either creates scheduled tasks or updates the registry entries to establish persistence.
- After the next system reboot, the second stage gets initiated and the final SysUpdate payload gets loaded on the infected machine.
End notes
The Linux variant of SysUpdate by APT27 is a desperate attempt by hackers to expand their attack surface. Thus, organizations are suggested to tighten up the vigilance of all entry points, including emails and IM with ant-malware and anti-phishing solutions. Furthermore, they should be wary of malicious tools and make use of provided IOCs and YARA rules for better detection.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/3c34_shutterstock_2001159119.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7adc_shutterstock_1967648158.jpg)
