Tuesday, January 14, 2025
HomeCyber AttackBudworm APT Attacking Telecoms Org With New Custom Tools

Budworm APT Attacking Telecoms Org With New Custom Tools

Published on

APT (Advanced Persistent Threat) actors are evolving at a rapid pace, continually enhancing their toolsets and tactics. 

They adapt quickly to security measures, leveraging advanced techniques, such as zero-day exploits, to remain undetected.

Their ability to innovate and collaborate in the underground cybercriminal ecosystem makes tracking and countering APT threats an ongoing challenge for cybersecurity professionals.

Cybersecurity researchers at Symantec’s Threat Hunter Team recently discovered that Budworm APT group has evolved its toolset and is actively targeting the following entities:-

In August 2023, Budworm APT deployed a new variant of its exclusive SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll) in both attacks, which was previously unseen.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

New Custom Tools Used

Budworm employed custom and publicly available tools in these attacks, primarily focusing on credential harvesting. The group’s activity may have been suspended early in the attack chain.

Budworm employs DLL sideloading through INISafeWebSSO to execute SysUpdate on victim networks, a technique used by the group since 2018 to evade detection.

Besides this, SysUpdate offers several capabilities that we have mentioned below:-

  • List services
  • Start services
  • Stop services
  • Delete services
  • Take screenshots
  • Browse processes
  • Terminate processes
  • Drive information retrieval
  • File management
  • Command execution

Trend Micro reported about Budworm’s Linux SysUpdate with Windows-like capabilities in March 2023, which has been part of Budworm’s developing toolbox since 2020.

Here below, we have mentioned all the tools that the threat actors use:-

  • AdFind
  • Curl
  • SecretsDump
  • PasswordDumper

Budworm is a persistent APT group active since 2013 that targets high-value victims across sectors globally. Their activities include a U.S. state legislature breach in October 2022 using DLL sideloading for HyperBro malware.

In Budworm’s recent campaign, the group targeted an Asian government and a Middle Eastern telecom, as they are consistent with their typical intelligence-gathering focus.

Budworm’s use of known techniques and tools, like SysUpdate and DLL sideloading, signals their confidence despite detection risk. 

The appearance of a new SysUpdate version in August 2023 indicates ongoing toolset development, suggesting their current activity.

IOCs

SHA256 file hashes

  • c501203ff3335fbfc258b2729a72e82638719f60f7e6361fc1ca3c8560365a0e — Legitimate INISafeWebSSO application
  • c4f7ec0c03bcacaaa8864b715eb617d5a86b5b3ca6ee1e69ac766773c4eb00e6 — SysUpdate backdoor
  • 551397b680da0573a85423fbb0bd10dac017f061a73f2b8ebc11084c1b364466 — Password dumper
  • df571c233c3c10462f4d88469bababe4c57c21a52cca80f2b1e1af848a2b4d23 — Hacktool     
  • c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 — SecretsDump
  • f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e — AdFind
  • ee9dfcea61282b4c662085418c7ad63a0cbbeb3a057b6c9f794bb32455c3a79e — Curl

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...