China-Linked Budworm Updates To Attack Government Groups, Telecoms
Budworm Targets Middle East and Asia
Photo by Sora Shimazaki on Pexels
The Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News that Budworm, also known as APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, has been active since 2013, targeting a wide range of industry verticals.
Budworm has been observed using various tools such as China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and ZXShell to exfiltrate high-value information and maintain access to sensitive systems over a long period of time.
SecureWorks revealed in 2017 that Budworm is a formidable threat that collects defense, security, and political intelligence from organizations worldwide. It has been observed exploiting vulnerable internet-facing services to gain access to targeted networks.
Trend Micro shed light on the Linux version of SysUpdate in March, which packs in capabilities to circumvent security software and resist reverse engineering. The backdoor can capture screenshots, terminate arbitrary processes, conduct file operations, retrieve drive information, and execute commands.
According to Symantec, Budworm has been using the SysUpdate toolkit since at least 2020 and has been continually developing the tool to improve its capabilities and avoid detection.
Budworm is the latest addition to a growing list of threat actors targeting the telecom sector in the Middle East, including previously undocumented clusters dubbed ShroudedSnooper and Sandman.
Organizations in the telecommunications sector and government entities should remain vigilant about potential threats from Budworm and other threat actors.
It is important to keep systems up-to-date with the latest security patches and to monitor for any suspicious activity. Additionally, organizations should consider investing in AI-driven cybersecurity solutions to help detect and respond to threats more quickly and effectively.