Saturday, May 18, 2024

Budworm APT Attacking Telecoms Org With New Custom Tools

APT (Advanced Persistent Threat) actors are evolving at a rapid pace, continually enhancing their toolsets and tactics. 

They adapt quickly to security measures, leveraging advanced techniques, such as zero-day exploits, to remain undetected.

Their ability to innovate and collaborate in the underground cybercriminal ecosystem makes tracking and countering APT threats an ongoing challenge for cybersecurity professionals.

Cybersecurity researchers at Symantec’s Threat Hunter Team recently discovered that Budworm APT group has evolved its toolset and is actively targeting the following entities:-

In August 2023, Budworm APT deployed a new variant of its exclusive SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll) in both attacks, which was previously unseen.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

New Custom Tools Used

Budworm employed custom and publicly available tools in these attacks, primarily focusing on credential harvesting. The group’s activity may have been suspended early in the attack chain.

Budworm employs DLL sideloading through INISafeWebSSO to execute SysUpdate on victim networks, a technique used by the group since 2018 to evade detection.

Besides this, SysUpdate offers several capabilities that we have mentioned below:-

  • List services
  • Start services
  • Stop services
  • Delete services
  • Take screenshots
  • Browse processes
  • Terminate processes
  • Drive information retrieval
  • File management
  • Command execution

Trend Micro reported about Budworm’s Linux SysUpdate with Windows-like capabilities in March 2023, which has been part of Budworm’s developing toolbox since 2020.

Here below, we have mentioned all the tools that the threat actors use:-

  • AdFind
  • Curl
  • SecretsDump
  • PasswordDumper

Budworm is a persistent APT group active since 2013 that targets high-value victims across sectors globally. Their activities include a U.S. state legislature breach in October 2022 using DLL sideloading for HyperBro malware.

In Budworm’s recent campaign, the group targeted an Asian government and a Middle Eastern telecom, as they are consistent with their typical intelligence-gathering focus.

Budworm’s use of known techniques and tools, like SysUpdate and DLL sideloading, signals their confidence despite detection risk. 

The appearance of a new SysUpdate version in August 2023 indicates ongoing toolset development, suggesting their current activity.


SHA256 file hashes

  • c501203ff3335fbfc258b2729a72e82638719f60f7e6361fc1ca3c8560365a0e — Legitimate INISafeWebSSO application
  • c4f7ec0c03bcacaaa8864b715eb617d5a86b5b3ca6ee1e69ac766773c4eb00e6 — SysUpdate backdoor
  • 551397b680da0573a85423fbb0bd10dac017f061a73f2b8ebc11084c1b364466 — Password dumper
  • df571c233c3c10462f4d88469bababe4c57c21a52cca80f2b1e1af848a2b4d23 — Hacktool     
  • c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 — SecretsDump
  • f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e — AdFind
  • ee9dfcea61282b4c662085418c7ad63a0cbbeb3a057b6c9f794bb32455c3a79e — Curl

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles