Threat Research

Budworm: Espionage Group Returns to Targeting U.S. Organizations

Securonix

Budworm is resurfacing in the U.S. targeting high-value entities with a mix of malware and openly available tools, including DLL side-loading via legitimate processes and C2 infrastructure hosted on VPS services. The campaign centers on HyperBro, with occasional use of PlugX/Korplug, and signals potential renewed focus on U.S. targets alongside a notable toolset and techniques. #Budworm #HyperBro

Keypoints

  • Budworm appears to be back targeting U.S. organizations after years largely focusing on Asia, the Middle East, and Europe.
  • Initial access is achieved by exploiting Apache Tomcat via CVE-2021-44228 and CVE-2021-45105 to install web shells on affected servers.
  • Attackers used VPS-based C2 infrastructure (VPS providers like Vultr and Telstra) to host command-and-control servers.
  • The HyperBro payload is delivered primarily through DLL side-loading, often using legitimate applications as the loader.
  • CyberArk Viewfinity is abused to perform side-loading, with several masqueraded file names used to disguise malicious activity.
  • HyperBro is sometimes loaded with its own loader, and PlugX/Korplug has been used as a secondary payload in some operations.
  • Beyond HyperBro, Budworm relies on a toolkit of public/off-the-shelf tools (Cobalt Strike, Lazagne, IOX, FRP, FScan) to achieve post-exploitation, credential access, and network discovery.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – ‘CVE-2021-44228 and CVE-2021-45105) to compromise the Apache Tomcat service on servers in order to install web shells.’
  • [T1574.001] DLL Side-Loading (DLL Search Order Hijacking) – ‘dynamic-link library (DLL) side-loading…placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application…The legitimate application then loads and executes the payload.’
  • [T1218] Signed Binary Proxy Execution – ‘The attackers used the endpoint privilege management software CyberArk Viewfinity to perform side-loading.’
  • [T1036] Masquerading – ‘Masqueraded names included securityhealthservice.exe, secu.exe, vfhost.exe, vxhost.exe, vx.exe, and v.exe.’
  • [T1027] Obfuscated/Compressed Files and Information – ‘loader…encrypt payloads.’
  • [T1588.001] Acquire Capabilities: Tools – ‘Other tools used in recent attacks include: Cobalt Strike… Lazagne… IOX… FRP… Fscan.’
  • [T1046] Network Service Discovery – ‘FSCAN: A publicly available intranet scanning tool.’
  • [T1583] Acquire Infrastructure – ‘The attackers used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.’

Indicators of Compromise

  • [IP] C2 infrastructure – 139.180.146[.]101, 45.77.46[.]54, and other VPS addresses (example: 139.168.200[.]123, 207.148.76[.]235)
  • [Domain/URL] C2 domains/URLs – setting.101888gg[.]com/jquery-3.3.1.min.js, 207.148.76[.]235/jquery-3.3.1.min.js
  • [Hash] Credential Dumper – 5aecbb6c073b0cf1ad1c6803fa1bfaa6eca2ec4311e165f25d5f7f0b3fe001db, and 2 more hashes
  • [Hash] FSCAN – 779ae012ede492b321fd86df70f7c9da94251440ebe5ec3efee84a432f432478
  • [Hash] HyperBro launcher – ab949af896b6a6d986aed6096c36c4f323f650ccccfc7ea49004ba919d1bfa46, bebce37572ea2856663383215a013f8115c1f81da0f2bf1233c959955c494032
  • [Hash] HyperBro loader – 386c9079d65bdd7e3f7b8872024a80992b5d5c6a3c8b971c47d1ef439b9e2671, bfffc43d948d1787622bcde524e51c932a2a1fdc761539f60e777e21ef16e83d
  • [Hash] IOX – 042b603fffd4766fa22f6e10884e7fa43f449d515cfa20a18f0d07a6d4c370962, 0d46907320ab55d98966389f41441aa0341a7db829cd166748d8929d466c9fba

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state