China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies

Sep 28, 2023THNMalware / Cyber Threat

Government and telecom entities have been subjected to a new wave of attacks by a China-linked threat actor tracked as Budworm using an updated malware toolset.

The intrusions, targeting a Middle Eastern telecommunications organization and an Asian government, took place in August 2023, with the adversary deploying an improved version of its SysUpdate toolkit, the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

Budworm, also referred to by the names APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, is known to be active since at least 2013, targeting a wide range of industry verticals in pursuit of its intelligence gathering goals.

The nation-state group leverages various tools such as China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and ZXShell to exfiltrate high-value information and maintain access to sensitive systems over a long period of time.

A previous report from SecureWorks in 2017 revealed the attacker’s penchant for collecting defense, security, and political intelligence from organizations worldwide, characterizing it as a formidable threat.

It has also been observed exploiting vulnerable internet-facing services to gain access to targeted networks. Earlier this March, Trend Micro shed light on the Linux version of SysUpdate, which packs in capabilities to circumvent security software and resist reverse engineering.

The backdoor is feature-rich, making it possible to capture screenshots, terminate arbitrary processes, conduct file operations, retrieve drive information, and execute commands.

“As well as its custom malware, Budworm also used a variety of living-off-the-land and publicly available tools in these attacks,” Symantec said. “It appears the activity by the group may have been stopped early in the attack chain as the only malicious activity seen on infected machines is credential harvesting.”

With the latest development, Budworm is the new addition to a growing list of threat actors that have trained their eyes on the telecom sector in the Middle East, including previously undocumented clusters dubbed ShroudedSnooper and Sandman.

“SysUpdate has been in use by Budworm since at least 2020, and the attackers appear to continually develop the tool to improve its capabilities and avoid detection.”

“That Budworm continues to use a known malware (SysUpdate), alongside techniques it is known to favor, such as DLL side-loading using an application it has used for this purpose before, indicate that the group isn’t too concerned about having this activity associated with it if it is discovered.”