Budworm Hackers Deploy Custom Malware in Telco and Govt Attacks: Chinese cyber-espionage group Budworm, also known as APT27 or Emissary Panda, has resurfaced with a sophisticated campaign targeting a Middle Eastern telecommunications company and an Asian government organization.
This news item delves into the details of their activities, highlighting their utilization of a new variant of the ‘SysUpdate’ backdoor.
Key Takeaways to Budworm Hackers Deploy Custom Malware in Telco and Govt Attacks:
Table of Contents
- Budworm’s Persistent Espionage: Budworm, a Chinese hacking group with a history dating back to 2013, has consistently targeted high-value entities across sectors such as government, technology, and defense. Their recent activities underscore their enduring presence and evolving tactics.
- New SysUpdate Variant Unveiled: The hackers deployed a fresh variant of the ‘SysUpdate’ backdoor in their latest campaign, detected by Symantec’s Threat Hunter team. This remote access trojan (RAT) equips Budworm with a range of capabilities, including command execution, data retrieval, and screenshot capturing.
- Stealthy Attack Techniques: To infiltrate victim systems, the attackers employ DLL sideloading, leveraging a legitimate executable. The malicious DLL, named ‘inicore_v2.3.30.dll,’ is planted in the working directory to ensure it loads before the legitimate version, evading detection from security tools.
A Persistent Espionage Player
Budworm has maintained its cyber-espionage activities for nearly a decade, consistently targeting organizations of strategic interest.
Their focus extends to government entities, technology firms, defense sectors, and more, making them a formidable threat.
Unmasking the SysUpdate Backdoor
The ‘SysUpdate’ backdoor, a key tool in Budworm’s arsenal, offers extensive capabilities for remote control and data manipulation. Its association with the group dates back to 2020, showcasing the hackers’ commitment to evolving their attack methods.
DLL Sideloading: A Stealthy Approach
In their latest campaign, Budworm demonstrates a sophisticated attack technique by sideloading a malicious DLL, ‘inicore_v2.3.30.dll.’
This approach ensures that the backdoor operates within the context of a legitimate program, effectively evading detection mechanisms.
A Toolkit of Espionage
In addition to SysUpdate, Budworm leverages publicly available tools such as AdFind, Curl, SecretsDump, and PasswordDumper.
These tools empower the hackers to conduct various actions, including credential theft, network mapping, lateral movement, and data exfiltration.
Telcos Under Fire
The targeting of telecommunications companies is a recurring theme among state-sponsored hacking groups.
Recent reports have highlighted similar breaches, with custom malware like HTTPSnoop and LuaDream facilitating backdoor access to these critical networks.
Conclusion: A Long-Standing Threat
Budworm’s resilience and adaptability as an APT group underscore the importance of robust cybersecurity measures. Their ability to exploit new attack vectors and evade detection calls for continuous vigilance and defense against evolving threats.
About Budworm: Budworm, also known as APT27 or Emissary Panda, is a Chinese cyber-espionage group known for its persistent targeting of high-value entities. With a history dating back to 2013, they have demonstrated the capability to evolve their tactics and tools over the years, making them a significant threat in the realm of cybersecurity.
