Budworm Strikes Again: Updated SysUpdate Targets Government and Telecom Sectors

Diving into the Details

• In August 2023, Budworm, also known as LuckyMouse, Emissary Panda, and APT27, launched an attack deploying an updated SysUpdate backdoor - SysUpdate DLL inicore_v2.3.30.dll. 
• The group combined this with a mix of custom malware, along with several living-off-the-land and publicly available tools. 
• The primary aim of the attackers was credential harvesting.

Analyzing the Arsenal

• Budworm’s signature technique consists of executing SysUpdate on victims' networks by sideloading the DLL payload using the authentic INISafeWebSSO application - a tactic it has employed since at least 2018. 
• SysUpdate is a multifaceted backdoor with capabilities ranging from file management and command execution to taking screenshots and browsing processes. 
• The group, furthermore, employed legitimate tools such as AdFind, Curl, SecretsDump, and PasswordDumper in its recent campaign, emphasizing its methodological approach to attacks, blending malicious tools with legitimate ones to avoid suspicion.

Why this matters

• Tracing back to 2013, Budworm's endeavors have primarily targeted entities in defense, government, and technology sectors, particularly in Southeast Asia, the Middle East, and the U.S. 
• APT27’s victim profile, such as the recent targeting of an Asian government and a Middle Eastern telecom firm, aligns with its intelligence-gathering objectives.
• The latest version of SysUpdate affirms the group's ongoing toolset development.

The bottom line