Image: Nahel Abdul Hadi (unsplash)
A hacking group from China, known as Budworm, has been detected as they aimed their efforts at a Middle Eastern telecommunication company and an Asian government organization. Their method involved a newly developed version of their proprietary ‘SysUpdate’ backdoor.
This SysUpdate malware is categorized as a remote access trojan (RAT) and has been linked with Budworm since 2020. It offers support for various operations such as Windows service, process, and file management, as well as command execution, data retrieval, and taking screenshots.
Trend Micro, in March 2023, unveiled information about a Linux rendition of SysUpdate. This version had been circulating widely since October 2022.
Broadcom’s subsidiary, Symantec’s Threat Hunter team, identified the latest SysUpdate backdoor iteration in a campaign from August 2023.
According to Symantec, the backdoor is introduced into systems by leveraging ‘INISafeWebSSO.exe’ executable through DLL sideloading. The malicious DLL file, named ‘inicore_v2.3.30.dll’, is strategically placed in the working directory. This positioning ensures its execution before its legitimate counterpart, exploiting the Windows search order.
Using SysUpdate within the realm of a genuine software process lets the perpetrators bypass detection mechanisms of security tools on the infiltrated system.
Symantec also observed Budworm utilizing several publicly known tools in their recent offensive, including AdFind, Curl, SecretsDump, and PasswordDumper. These tools facilitate the hackers in tasks like credential extraction, network mapping, lateral movement within an infiltrated network, and data theft.
Recently, telecommunication firms have been frequently targeted by state-backed and advanced persistent threat (APT) hacker groups.
In the last month alone, there have been instances where hacker groups infiltrated telecom entities to introduce malware such as HTTPSnoop and LuaDream. Both these malware variants offer backdoor access into the networks.
Historical Overview of Budworm
The Budworm group has been operational since 2013, directing their efforts towards lucrative targets in sectors such as government, technology, and defense.
In 2020, there was a shift in their modus operandi where they toyed with the idea of exploiting the Windows BitLocker tool. This was done to encrypt servers belonging to online gaming and gambling businesses, probably to divert attention from their primary objectives.
Early in 2022, Germany’s intelligence agency raised alarms regarding Budworm’s undertakings. They emphasized the potential threats of supply chain attacks, especially against significant intellectual property owners in Germany.
Later in the same year, Belgium’s Ministry of Foreign Affairs brought to light the attempts made by this group on the nation’s defense and internal ministries.
SEKOIA, in August 2022, uncovered Budworm’s strategy of creating deceptive websites to attract Chinese users. They advertised a phony cross-platform messaging application named ‘MiMi.’ The software installation files for this counterfeit app were found to carry a novel backdoor called ‘rshell’. This backdoor had the capability to siphon data from both Linux and macOS systems.