Budworm continues to develop its toolset, unveiling an updated SysUpdate backdoor variant (SysUpdate DLL inicore_v2.3.30.dll) used against a Middle Eastern telecommunications organization and an Asian government in August 2023. The group combines DLL sideloading with living-off-the-land and publicly available tools to map networks and harvest credentials, signaling ongoing activity and tool refinement. #Budworm #SysUpdate #INISafeWebSSO #AdFind #SecretsDump #PasswordDumper #Curl
Keypoints
- Budworm (aka LuckyMouse/Emissary Panda/APT27) used an updated SysUpdate backdoor in August 2023 against a telecom in the Middle East and a government in Asia.
- The group relies on DLL sideloading via the legitimate INISafeWebSSO application to execute SysUpdate.
- SysUpdate provides capabilities such as service management, screen capture, process browsing/termination, drive info, file management, and command execution.
- Budworm has developed a Linux version of SysUpdate with similar capabilities, indicating ongoing tool evolution.
- The operation also employed living-off-the-land and publicly available tools to map networks and dump credentials (e.g., AdFind, Curl, SecretsDump, PasswordDumper).
- The campaign aligns with Budworm’s historical focus on high-value government/defense–related targets and intelligence gathering.
MITRE Techniques
- [T1574.001] DLL Side-Loading – Budworm executes SysUpdate on victim networks by DLL sideloading the payload using the legitimate INISafeWebSSO application. ‘DLL sideloading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload.’
- [T1113] Screen Capture – Take screenshots. ‘Take screenshots’
- [T1083] File and Directory Discovery – File management (finds, deletes, renames, uploads, downloads files, and browses a directory).
- [T1105] Ingress Tool Transfer – Curl: An open-source command-line tool for transferring data using various network protocols. ‘Curl: An open-source command-line tool for transferring data using various network protocols.’
- [T1069.002] Active Directory Discovery – AdFind: A publicly available tool that is used to query Active Directory. ‘AdFind: A publicly available tool that is used to query Active Directory.’
- [T1003] Credential Dumping – SecretsDump: A publicly available tool that can perform various techniques to dump secrets from the remote machine… ‘dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and Kerberos keys, as well as dumping the NTDS.dit Active Directory database.’
- [T1003] Credential Dumping – PasswordDumper: A password-dumping tool. ‘PasswordDumper: A password-dumping tool.’
- [T1543.003] Windows Service – List, start, stop, and delete services.
- [T1082] System Information Discovery – Drive information retrieval. ‘Drive information retrieval’
- [T1059] Command and Scripting Interpreter – Command execution. ‘Command execution’
Indicators of Compromise
- [SHA256] file hashes – c501203ff3335fbfc258b2729a72e82638719f60f7e6361fc1ca3c8560365a0e — Legitimate INISafeWebSSO application, and related malware samples; c4f7ec0c03bcacaaa8864b715eb617d5a86b5b3ca6ee1e69ac766773c4eb00e6 — SysUpdate backdoor; 551397b680da0573a85423fbb0bd10dac017f061a73f2b8ebc11084c1b364466 — Password dumper; df571c233c3c10462f4d88469bababe4c57c21a52cca80f2b1e1af848a2b4d23 — Hacktool; c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 — SecretsDump; f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e — AdFind; ee9dfcea61282b4c662085418c7ad63a0cbbeb3a057b6c9f794bb32455c3a79e — Curl
- [File name] context – SysUpdate DLL inicore_v2.3.30.dll, INISafeWebSSO.exe