SysUpdate

Malware updated a month ago (2024-09-25T14:01:34.603Z)
Download STIX
Preview STIX
SysUpdate is a malicious software (malware) predominantly utilized by the Budworm group, also known as APT27, Emissary Panda, LuckyMouse, among other names. This malware variant is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without user knowledge. Once inside, it can steal personal information, disrupt operations, or hold data for ransom. In December 2020, a sample of a new SysUpdate variant was discovered. The payload was a novel version of SysUpdate, which was sideloaded to run the SysUpdate tool in a previous campaign by Emissary Panda. The backdoor maintains persistence by setting the 'SysUpdate' key in the OS registry and storing the LNK file 'SystemUpdate.lnk' in the startup directory. This updated SysUpdate toolkit has been deployed by Budworm in new attacks against an Asian government and a Middle East-based telecommunications provider, as reported by The Hacker News. Budworm's use of a known malware like SysUpdate, along with favored techniques such as DLL side-loading using an application previously used for this purpose, indicates that the group is not overly concerned about having its activities associated with it if discovered. Budworm has also leveraged numerous living-off-the-land and public tools in addition to its enhanced SysUpdate backdoor, which features screenshot capturing, drive data retrieval, and file operation and command execution capabilities. The discovery of an updated SysUpdate tool underscores Budworm's continued development and ongoing activity as of August 2023. The group has used DLL sideloading with the legitimate INISafeWebSSO application to deploy its SysUpdate malware, serving as a multipurpose backdoor. The new variant of SysUpdate was found to be linked to a C&C server associated with LuckyMouse. This evolving threat landscape highlights the need for robust cybersecurity measures and vigilance against advanced persistent threats.
Description last updated: 2024-09-25T13:17:45.624Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Iron Tiger is a possible alias for SysUpdate. Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group believed to be aligned with China. The group has been involved in numerous cyber-espionage campaigns, targeting various entities including United States defense contractors and other international organizations. Their activities
4
Emissary Panda is a possible alias for SysUpdate. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive
4
inicore_v2.3.30.dll is a possible alias for SysUpdate. The malware inicore_v2.3.30.dll is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for
3
APT27 is a possible alias for SysUpdate. APT27, also known as Emissary Panda, is a threat actor group suspected to be affiliated with China. The group's primary objective is the theft of intellectual property, focusing on data and projects that make organizations competitive within their respective fields. APT27 has targeted multiple organ
3
LuckyMouse is a possible alias for SysUpdate. LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Linux
Windows
Tool
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Budworm Threat Actor is associated with SysUpdate. Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41,Unspecified
2
Source Document References
Information about the SysUpdate Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
a month ago
Securityaffairs
10 months ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
Trend Micro
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Checkpoint
2 years ago
CERT-EU
2 years ago