With a new cybercriminal campaign, the notorious advanced persistent threat group Budworm APT is creating noise again.
Discovery of the threat group’s activity showed that these threat actors use updated and improved cybercriminal tools to target Asian government organisations and a Middle Eastern telecommunication firm.
A few months ago, this sophisticated cybercriminal group executed a malicious campaign that leveraged an enhanced SysUpdate backdoor. Researchers called the backdoor SysUpdate, referring to its file name called inicore_v2[.]3[.]30[.]dll.
The threat actors appended various customised malware strains and a selection of living-off-the-land and publicly available tools in their new campaign. Moreover, the main goal of this recent attack is to gather as many credentials as possible from the targeted entities.
The Budworm APT group has used a sideloading technique to make their campaign more efficient in targeting various entities.
According to research, the Budworm APT group has created their signature technique over the years, including deploying SysUpdate within victims’ networks through sideloading the DLL payload via the legitimate INISafeWebSSO app. The group has allegedly adopted this technique since at least 2018.
The SysUpdate backdoor is a versatile tool with various capabilities ranging from file management and command execution to monitoring processes and capturing screenshots. This APT group has also used legitimate means such as AdFind, Curl, SecretsDump, and PasswordDumper in their recent campaign. The actors leverage this tactical approach of combining malicious tools with legitimate ones to bypass security detection and not raise suspicion.
Budworm APT has consistently attacked entities related to the defence, government, and technology sectors. Furthermore, they have continued their onslaught against countries in Southeast Asia, the Middle East, and the United States.
Their latest victims are a Middle East-based telecommunication company and an Asian government entity. This pattern jives with their objective since they mainly focus on intelligence-gathering.
Organisations should proactively update and patch their systems to protect themselves against known vulnerabilities exploited by tools like SysUpdate. Finally, experts suggest that these targeted entities adopt advanced threat intelligence and monitoring solutions to detect and counter unusual activities, especially when linked to notorious hackers like Budworm APT.
