Symantec exposes Budworm APT group’s use of updated custom tool in government, telecom attacks

Researchers from Symantec’s Threat Hunter Team released details of Budworm APT (advanced persistent threat) group’s tactics deploying an updated custom tool that strikes government and telecom organizations. The researchers said that the previously unseen version of SysUpdate was used in the August 2023 campaign.

“The Budworm advanced persistent threat (APT) group continues to actively develop its toolset. Most recently, the Threat Hunter Team in Symantec, part of Broadcom, discovered Budworm using an updated version of one of its key tools to target a Middle Eastern telecommunications organization and an Asian government,” the researchers said in a Thursday blog post. “Both attacks occurred in August 2023. Budworm (aka LuckyMouse, Emissary Panda, APT27) deployed a previously unseen variant of its SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30[dot]dll). SysUpdate is exclusively used by Budworm.”

In addition to the custom malware, Budworm also used a variety of living-off-the-land and publicly available tools in these attacks. It appears the activity by the group may have been stopped early in the attack chain as the only malicious activity seen on infected machines is credential harvesting.

Symantec identified that Budworm is a long-running APT group that is believed to have been active since at least 2013. The attackers are known for their targeting of high-value victims, often focusing on organizations in the government, technology, and defense sectors. Budworm has targeted victims in many countries in Southeast Asia and the Middle East, among other locations, including the U.S.

Symantec’s Threat Hunter Team detailed last October how Budworm activity was seen on the network of a U.S. state legislature. In that campaign, the attackers also targeted the government of a Middle Eastern country, a multinational electronics manufacturer, and a hospital in Southeast Asia. The attackers also leveraged DLL sideloading in that campaign to load their HyperBro malware.

Going back to the current campaign, Symantec said that the Asian government and a telecommunications company in the Middle East “do align with the kinds of victims we often see Budworm targeting. The targeting of a telecommunications company and government also points to the motivation behind the campaign being intelligence gathering, which is the motivation that generally drives Budworm activity.”

“That Budworm continues to use a known malware (SysUpdate), alongside techniques it is known to favor, such as DLL sideloading using an application it has used for this purpose before, indicates that the group isn’t too concerned about having this activity associated with it if it is discovered,” according to the post. “The use of a previously unseen version of the SysUpdate tool also demonstrates that the group is continuing to actively develop its toolset.”

The researchers added that the fact that this activity occurred as recently as August 2023 suggests that the group is currently active and that those organizations that may be of interest to Budworm should be aware of this activity and the group’s current toolset.

Symantec researchers identified that Budworm executes SysUpdate on victim networks by DLL sideloading the payload using the legitimate INISafeWebSSO application. “This technique has been used by the group for some time, with reports of INISafeWebSSO being leveraged dating as far back as 2018. DLL sideloading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload. It can help attackers evade detection.”

SysUpdate is a feature-rich backdoor that has multiple capabilities, including listing, starting, stopping, and deleting services; taking screenshots; browsing and terminating processes; drive information retrieval; file management (finds, deletes, renames, uploads, downloads files, and browses a directory); and command execution. 

In March, Trend Micro reported that Budworm had developed a Linux version of SysUpdate with similar capabilities to the Windows version. SysUpdate has been in use by Budworm since at least 2020, and the attackers appear to continually develop the tool to improve its capabilities and avoid detection. As well as SysUpdate, the attackers used several legitimate or publicly available tools to map the network and dump credentials.

Earlier this month, Symantec researchers revealed that Redfly espionage hackers are continuing to attack critical national infrastructure (CNI) targets, raising concerns for governments and CNI organizations worldwide. The researchers found evidence that Redfly used the ShadowPad trojan to compromise a national grid in an Asian country for six months earlier this year. The attackers managed to steal credentials and compromise multiple computers on the organization’s network.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.