SysUpdate

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
SysUpdate is a malicious software variant that has been exclusively used by Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix. In December 2020, a sample of the SysUpdate malware variant was found, with its payload being a new version of SysUpdate. The backdoor maintains persistence in infected systems by setting the 'SysUpdate' key in the OS registry and storing the LNK file 'SystemUpdate.lnk' in the startup directory. Notably, Budworm has used DLL sideloading with the legitimate INISafeWebSSO application to deploy its SysUpdate malware, serving as a multipurpose backdoor. The group has targeted various entities including an Asian government and a Middle East-based telecommunications provider, as reported by The Hacker News in September 2023. Budworm has been deploying new attacks with the updated SysUpdate toolkit against these targets. Furthermore, the group has shown a continued willingness to use known malware like SysUpdate and previously employed techniques such as DLL sideloading, indicating a degree of indifference to detection. This is evident from their continued use of SysUpdate, despite it being associated with them upon discovery. Budworm has also leveraged numerous living-off-the-land and public tools in addition to its enhanced SysUpdate backdoor. The latter features capabilities such as screenshot capturing, drive data retrieval, and file operation and command execution, according to a report from the Symantec Threat Hunter Team. The discovery of an updated SysUpdate tool in August 2023 highlights Budworm's ongoing activity and continued development of its toolset.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Iron Tiger
4
Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group known for executing malicious actions with the intent of espionage. The group became prominent after its involvement in Operation Iron Tiger, which was reported in 2015. This operation was a series of Chinese cyber-espionage att
Emissary Panda
4
Emissary Panda, also known as Iron Tiger, APT27, Budworm, Bronze Union, Lucky Mouse, and Red Phoenix, is a threat actor group associated with malicious cyber activities. The group has been active since at least 2013, targeting various industry verticals across Europe, North and South America, Africa
APT27
3
APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
inicore_v2.3.30.dll
3
The malware inicore_v2.3.30.dll is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for
LuckyMouse
2
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
Red Phoenix
1
Red Phoenix, also known as Budworm, APT27, Emissary Panda, Bronze Union, Lucky Mouse, and Iron Tiger, is a notorious malware that has been active since at least 2013. It is associated with a Chinese advanced persistent threat (APT) operation, targeting various industry verticals for intelligence gat
BRONZE UNION
1
Bronze Union, also known as APT27, Emissary Panda, Lucky Mouse, Iron Tiger, and Red Phoenix, is a threat actor with alleged connections to the Chinese government. The group has been observed targeting organizations across Europe, North and South America, Africa, the Middle East, and the Asia-Pacific
python33.dll
1
Python33.dll is a harmful malware that can infiltrate your system through various channels, including suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. This malicious software has been observed be
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Windows
Linux
Apt
Encryption
Curl
Vulnerability
Payload
Webshell
Web Shell
Tool
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
IronpandaUnspecified
1
None
EmissaryUnspecified
1
Emissary is a malicious software (malware) known for its damaging and exploitative characteristics. The malware operates as a Trojan, named Emissary, that infiltrates systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside a system, it can disrupt operatio
ZxShellUnspecified
1
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
China ChopperUnspecified
1
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
Lucky MouseUnspecified
1
Lucky Mouse, also known as Emissary Panda, APT27, Threat Group 3390, Bronze Union, and several other names, is a malicious software (malware) attributed to a China-linked Advanced Persistent Threat (APT) group. This malware has been active since at least 2013, targeting various industry verticals fo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BudwormUnspecified
2
Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41,
RegeorgUnspecified
1
Regeorg is a threat actor known for its malicious activities in the cyber landscape. Notably, operators of LuckyMouse initiated an attack by dropping the Nbtscan tool in C:\programdata\, followed by installing a variant of the ReGeorg webshell and issuing a GET request using curl. They then tried to
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SysUpdate Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
7 months ago
Russia's APT28 used new malware in a recent phishing campaign
CERT-EU
10 months ago
Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org - Cyber Security Review
Checkpoint
10 months ago
2nd October – Threat Intelligence Report - Check Point Research
CERT-EU
10 months ago
DDoS attack hits Russian flight booking system claimed by Ukrainian hackers
CERT-EU
10 months ago
Asian government, telco targeted by Chinese APT
InfoSecurity-magazine
10 months ago
Budworm APT Evolves Toolset, Targets Telecoms and Government
CERT-EU
10 months ago
China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
a year ago
Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
MITRE
a year ago
Emissary Panda Attacks Middle East Government SharePoint Servers
Trend Micro
a year ago
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting
DARKReading
a year ago
Linux Support Expands Cyber Spy Group's Arsenal
CERT-EU
a year ago
Хакеры Iron Tiger распространяют Linux-версию своей вредоносной программы SysUpdate
CERT-EU
a year ago
Iron Tiger updates malware to target Linux platform
CERT-EU
a year ago
Cyber Security Today, March 3, 2023 – Bootkit can compromise Windows 11, a hacked container found and more | IT World Canada News
Checkpoint
a year ago
6th March – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
安全事件周报 2023-02-27 第9周 - 360CERT