The Budworm advanced persistent threat (APT) group, also known as LuckyMouse, Emissary Panda or APT27, has once again demonstrated its active development of cyber-espionage tools.
In August 2023, security researchers from Symantec’s Threat Hunter Team, a part of Broadcom, uncovered Budworm’s use of an updated version of its key tool to target a Middle Eastern telecommunications organization and an Asian government.
As described in an advisory published earlier today by the team, the attack leveraged a previously unseen variant of Budworm’s SysUpdate backdoor, known as SysUpdate DLL inicore_v2.3.30.dll.
This backdoor is exclusively used by Budworm, indicating the group’s sophistication and customized approach. Although various attack techniques were employed, the only observed malicious activity was credential harvesting, suggesting that the attack may have been stopped early in its execution.
Budworm’s attack arsenal includes not only custom malware but also publicly available tools, including the INISafeWebSSO application for DLL sideloading. This technique exploits the Windows DLL search order mechanism, enabling the execution of malicious payloads through legitimate applications, making detection more challenging.
The SysUpdate backdoor provides attackers with various capabilities, such as service manipulation, screenshot capture, process management, file operations and command execution. Budworm has used it since at least 2020, and the group continually enhances it to evade detection.
In addition to SysUpdate, the attackers employed legitimate or publicly available tools like AdFind, Curl, SecretsDump and PasswordDumper for network mapping and credential theft.
Budworm is a long-standing APT group, active since at least 2013, known for targeting high-value victims, especially in government, technology and defense sectors.
Read more on Budworm attacks and techniques: Budworm Espionage Group Returns, Targets US State Legislature
According to Symantec, this latest campaign aligns with Budworm’s typical targets, emphasizing intelligence gathering as its primary motivation. The group’s willingness to use known malware, such as SysUpdate, and previously employed techniques like DLL sideloading suggests a degree of indifference to detection.
The discovery of an updated SysUpdate tool highlights Budworm’s continued toolset development and underscores its ongoing activity as of August 2023.
Organizations at risk of Budworm’s targeting should remain vigilant and adapt their defenses to this evolving threat.