Posted on March 2, 2023 at 2:24 PM
Chinese espionage group Iron Tiger creates a Linux version of its custom malware
Iron Tiger, an APT27 hacking group, has created a new Linux version of the SysUpdate custom remote access malware. This malware allowed the hacking group to target various services enterprises rely upon.
Iron Tiger hacking group creates a Linux version of SysUpdate malware
Iron Tiger is a Chinese cyber espionage hacking group known to target critical enterprises to obtain information. A new report by Trend Micros has said that the hackers started testing the Linux version of the malware in July last year.
Despite testing the malware version in mid-2022, these hackers started circulating multiple payloads in the wild in October 2022, according to a report by Trend Micro. The new Linux malware variant has been written in the C++ programming language through the Asio library. Moreover, it functions in the same manner as the Windows version of SysUpdate that Iron Tiger uses.
The hackers have been looking to create a customized version of this malware to expand the target scope to other systems apart from Windows. Last summer, the goals behind the behavior of this threat actor group became apparent after several cybersecurity experts reported that the hacking group was targeting Linux and MacOS systems through a new backdoor known as “rshell.”
The hacking campaign using SysUpdate used Linux and Windows samples to compromise targets. The campaign was analyzed by Trend Micro, which noted that it had already claimed several victims globally.
One of the companies targeted in this hacking campaign is a gambling firm in the Philippines. The attack on this gambling company used a command and control server registered using a domain similar to that of the victim’s brand.
The infection vector for this malware is yet to be identified. However, the analysts from Trend Micro have provided a hypothesis on the situation, saying that chat apps were being used to lure employees into downloading the initial infection payloads.
Only one of the items analyzed by the security researchers had changed its modus operandi compared to previous campaigns that depend on SysUpdate as the loading process. The new malware now employs an authentic and digitally signed “Microsoft Resource Compiler” executable to handle DLL sideloading and rc.dll to deploy the shellcode.
During the first stage, the shellcode will load SysUpdate in memory, bypassing the security mechanisms in place. The shellcode later transfers the needed files to a hardcoded folder while creating persistence with modifications to the registry. It also creates a service dependent on process permissions.
The second stage starts after the next system reboot process. This stage aims to decompress and load the main SysUpdate payload. SysUpdate is a sophisticated remote access tool allowing the threat actor to perform various malicious activities.
With the SysUpdate, the hackers can take screenshots, manage device services, access the process manager, retrieve drive information, access information in the file manager, and execute commands.
According to Trend Micro, Iron Tiger deployed a Wazuh-signed executable during the following sideloading stages. The executable blended with the victim’s environment because the target organization relied upon the legitimate Wazuh platform.
Hackers have created a Linux variant of SysUpdate
The Linux version of SysUpdate created by the hackers is an ELF executable. This executable shares the same network encryption keys and file-handling attributes as the Windows version.
The binary has support for five parameters that will determine the functions the malware should complete, including persistent attacks and setting up the Globally Unique Identifier (GUID) for the affected system.
The malware creates a persistence attack by copying a script to another directory. To do this, the hackers need root user permissions. One of the features of the Linux SysUpdate version is DNS tunneling, which is only available on one of the Windows samples of this malware.
The SysUpdate malware receives DNS information used to access the default system DNS IP address, which is used to send and obtain DNS queries. If this function fails, it is up to the Google DNS server at 184.108.40.206.
The goal behind this system is to bypass security firewalls of the network security tools that might be configured to block internet traffic past a given IP address allowlist. According to Trend Micro, the hackers might have preferred using the Asio library to create the Linux version of the SysUpdate malware because of portability.