China-linked Budworm APT returns to target a US entity

The Budworm espionage group resurfaced targeting a U.S.-based organization for the first time, Symantec Threat Hunter team reported.

The Budworm cyber espionage group (aka APT27, Bronze Union, Emissary Panda, Lucky Mouse, TG-3390, and Red Phoenix) is behind a series attacks conducted over the past six months against a number of high-profile targets, including the government of a Middle Eastern country, a multinational electronics manufacturer, and a U.S. state legislature. This is the first time that Symantec researchers have observed the Budworm group targeting a U.S-based organization. The group also targeted a hospital in South East Asia.

The China-linked APT27 group has been active since 2010, it targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups.

The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated.

In January, German intelligence warned of Chinese nation-state actors targeting commercial organizations with HyperBro remote access trojans (RAT). The attacks aimed at stealing sensitive data from the victims and attempted to launch supply chain attacks targeting their customers.

In the recent attacks, the APT group leveraged the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to install web shells on target servers. The threat actors used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.

The attackers continue to use the HyperBro backdoor which is often loaded using the dynamic-link library (DLL) side-loading technique.

“In recent attacks, Budworm has used the endpoint privilege management software CyberArk Viewfinity to perform side-loading. The binary, which has the default name vf_host.exe, is usually renamed by the attackers in order to masquerade as a more innocuous file. Masqueraded names included securityhealthservice.exe, secu.exe, vfhost.exe, vxhost.exe, vx.exe, and v.exe.” reads the report published by the experts. “In some cases, the HyperBro backdoor was loaded with its own HyperBro loader (file names: peloader.exe, 12.exe). It is designed to load malicious DLLs and encrypt payloads.”

In recent attacks, the APT also used the PlugX/Korplug Trojan along with the following tools:

• Cobalt Strike: An off-the-shelf tool that can be used to load shellcode onto victim machines. It has legitimate uses as a penetration testing tool but is frequently exploited by malicious actors.
• LaZagne: A publicly available credential dumping tool.
• IOX: A publicly available proxy and port-forwarding tool.
• Fast Reverse Proxy (FRP): A reverse proxy tool.
• Fscan: A publicly available intranet scanning tool.

“Budworm is known for mounting ambitious attacks against high-value targets. While there were frequent reports of Budworm targeting U.S. organizations six to eight years ago, in more recent years the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe.” concludes the report. “However this is the second time in recent months, Budworm has been linked to attacks against a U.S-based target. A recent CISA report on multiple APT groups attacking a defense sector organization mentioned Budworm’s toolset. A resumption of attacks against U.S.-based targets could signal a change in focus for the group.”

“In more recent years, the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe,” the researchers said. “A resumption of attacks against U.S.-based targets could signal a change in focus for the group.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Budworm APT)

[adrotate banner=”5″]

[adrotate banner=”13″]