Friday, October 4, 2024
HomeCyber AttackBudworm APT Attacking Telecoms Org With New Custom Tools

Budworm APT Attacking Telecoms Org With New Custom Tools

Published on

APT (Advanced Persistent Threat) actors are evolving at a rapid pace, continually enhancing their toolsets and tactics. 

They adapt quickly to security measures, leveraging advanced techniques, such as zero-day exploits, to remain undetected.

Their ability to innovate and collaborate in the underground cybercriminal ecosystem makes tracking and countering APT threats an ongoing challenge for cybersecurity professionals.

- Advertisement - EHA

Cybersecurity researchers at Symantec’s Threat Hunter Team recently discovered that Budworm APT group has evolved its toolset and is actively targeting the following entities:-

In August 2023, Budworm APT deployed a new variant of its exclusive SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll) in both attacks, which was previously unseen.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

New Custom Tools Used

Budworm employed custom and publicly available tools in these attacks, primarily focusing on credential harvesting. The group’s activity may have been suspended early in the attack chain.

Budworm employs DLL sideloading through INISafeWebSSO to execute SysUpdate on victim networks, a technique used by the group since 2018 to evade detection.

Besides this, SysUpdate offers several capabilities that we have mentioned below:-

  • List services
  • Start services
  • Stop services
  • Delete services
  • Take screenshots
  • Browse processes
  • Terminate processes
  • Drive information retrieval
  • File management
  • Command execution

Trend Micro reported about Budworm’s Linux SysUpdate with Windows-like capabilities in March 2023, which has been part of Budworm’s developing toolbox since 2020.

Here below, we have mentioned all the tools that the threat actors use:-

  • AdFind
  • Curl
  • SecretsDump
  • PasswordDumper

Budworm is a persistent APT group active since 2013 that targets high-value victims across sectors globally. Their activities include a U.S. state legislature breach in October 2022 using DLL sideloading for HyperBro malware.

In Budworm’s recent campaign, the group targeted an Asian government and a Middle Eastern telecom, as they are consistent with their typical intelligence-gathering focus.

Budworm’s use of known techniques and tools, like SysUpdate and DLL sideloading, signals their confidence despite detection risk. 

The appearance of a new SysUpdate version in August 2023 indicates ongoing toolset development, suggesting their current activity.

IOCs

SHA256 file hashes

  • c501203ff3335fbfc258b2729a72e82638719f60f7e6361fc1ca3c8560365a0e — Legitimate INISafeWebSSO application
  • c4f7ec0c03bcacaaa8864b715eb617d5a86b5b3ca6ee1e69ac766773c4eb00e6 — SysUpdate backdoor
  • 551397b680da0573a85423fbb0bd10dac017f061a73f2b8ebc11084c1b364466 — Password dumper
  • df571c233c3c10462f4d88469bababe4c57c21a52cca80f2b1e1af848a2b4d23 — Hacktool     
  • c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 — SecretsDump
  • f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e — AdFind
  • ee9dfcea61282b4c662085418c7ad63a0cbbeb3a057b6c9f794bb32455c3a79e — Curl

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

Doppler, the leading platform in secrets management, today announces the launch of Change Requests,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...