Budworm Hackers Target Telcos and Govt Orgs With Custom Malware

Cyber Security Threat Summary:
A Chinese cyber-espionage group known as Budworm has recently been detected engaging in cyberattacks. They have specifically targeted a telecommunications company in the Middle East and a government organization in Asia. What's noteworthy is that they've deployed a new version of their customized 'SysUpdate' malware. SysUpdate is a malicious software, categorized as a remote access trojan (RAT), and has been linked to Budworm, also known as APT27 or Emissary Panda, since 2020. This RAT enables the group to perform various malicious activities on compromised systems, including managing Windows services, processes, and files, executing commands, retrieving data, and capturing screenshots. In March 2023, Trend Micro disclosed the presence of a Linux variant of SysUpdate, which had been circulating in the wild since October 2022. In the most recent campaign of August 2023, Symantec's Threat Hunter team, a division of Broadcom, detected the latest iteration of the SysUpdate backdoor.

“Symantec reports the backdoor is deployed on victim systems via DLL sideloading leveraging the legitimate 'INISafeWebSSO.exe' executable. The malicious DLL file used in Budworm attacks is identified as 'inicore_v2.3.30.dll,' planted in the working directory, so it's launched before the legitimate version due to Windows search order hijacking. By loading SysUpdate in the context of a legitimate program process, the attackers can evade detection from security tools running on the compromised host. Along with SysUpdate, Symantec reports seeing several publicly available tools used in Budworm's latest attacks, like AdFind, Curl, SecretsDump, and PasswordDumper” (BleepingComputer, 2023).

These tools empower malicious actors to carry out a range of activities, such as extracting credentials, mapping networks, advancing within compromised networks, and pilfering data. It's noteworthy that telecommunication companies have increasingly become prime targets for state-sponsored and APT hacking groups.

Security Officer Comments:
In recent weeks, researchers have documented instances of other hacking groups infiltrating telecom companies to deploy custom malware known as HTTPSnoop and LuaDream. Both of these malware infections serve as backdoors, granting unauthorized access to the compromised networks. Operating since 2013, Budworm has been actively targeting high-value entities in government, technology, defense, and other key sectors and industries. In 2020, they used Windows BitLocker to encrypt gaming servers for covert purposes. In 2022, German intel warned of supply chain attacks. Belgium's ministries were also targeted. In August 2022, SEKOIA found Budworm luring Chinese users with a fake messenger app 'MiMi,' infecting them with the 'rshell' backdoor to steal data on Linux and macOS.

Suggested Correction(s):


  • Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.