Chinese advanced persistent threat group, APT27, also known as Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, or TG-3390, is now developing Linux version of their custom malware payloads. The group is best known for its cyber espionage abilities by leveraging custom malware packages. With the move to developing Linux versions, security researchers believe they will be able to better target enterprise network solutions built on the operating system.
In a report published by security firm Trend Micro, the new Linux version APT27’s SysUpdate malware was tested in July 2022 and samples began being distributed in the wild in October 2022.
The new malware variant is written in C++ using the Asio library, and its functionality is very similar to Iron Tiger's Windows version of SysUpdate.
Not only has the group added the ability to target Linux machines but have added new features to the malware family.
In the campaigns witnessed by security researchers both the Windows and Linux versions were dropped in payloads against victims.
One such victim was a gambling company in the Philippines, where threat actors used a command and control server registered with a domain similar to that of the victim. Trend Micro summarised the attack chain as follows:
- Apr. 2, 2022: Registration of the domain name linked to our oldest Windows sample of SysUpdate
- May 11, 2022: The command and control (C&C) infrastructure was set up.
- June 8, 2022: While this could have been tampered with, observed compilation date of our oldest Windows sample.
- July 20, 2022: Oldest Windows sample gets uploaded to Virus Total
- Oct. 24, 2022: Oldest Linux sample gets uploaded to Virus Total
Currently, researchers are not sure as to how APT27 got initial access into the victim’s infrastructure. It is believed that chat apps were used as lures to trick employees into downloading initial infection payloads and then later the SysUpdate malware was dropped once initial access was gained.
SysUpdate itself has evolved beyond the creation of a Linux variant, now the malware uses a legitimate and digitally-signed "Microsoft Resource Compiler" executable (rc.exe) to perform DLL side-loading with rc.dll to load shellcode.
Further, the malware is hard to detect by anti-virus products as the first stage of the malware’s deployment is done in memory. As for the malware’s other features, they are similar to previous versions, and include the following abilities:
- Service manager (lists, starts, stops, and deletes services)
- Screenshot grab
- Process manager (browses and terminates processes)
- Drive information retrieval
- File manager (finds, deletes, renames, uploads, downloads a file, and browses a directory)
- Command execution
As for the Linux version of SysUpdate, researchers noted,
“While investigating SysUpdate’s infrastructure, we found some ELF files linked to some C&C servers. We analyzed them and concluded that the files were a SysUpdate version made for the Linux platform. The ELF samples were also written in C++, made use of the Asio library, shared common network encryption keys, and had many similar features. For example, the file handling functions are almost the same. It is possible that the developer made use of the Asio library because of its portability across multiple platforms.”
APT27’s Push to Cover all Operating Systems
The development of a Linux version of SysUpdate is not APT27’s first rodeo in creating cross-platform malware. In August 2022, SEKOIA's Threat & Detection Research Team discovered that an instant messenger app known as 'MiMi' have been trojanized to deliver a new backdoor.
The app is predominantly used in China and researchers discovered that the app could be weaponized to steal information from Linux and macOS systems. Trend Micro also reported on the weaponization of the instant messaging app and also attributed it to APT27. SEKOIA researchers noted,
“At this stage, SEKOIA is not able to assess the objective of this campaign. As this application’s use in China appears low, it is plausible it was developed as a targeted surveillance tool. It is also likely that, following social engineering carried out by the operators, targeted users are encouraged to download this application, purportedly to circumvent Chinese authorities’ censorship…This is not the first time a messaging application dropping an implant connecting to the LuckyMouse infrastructure is observed. In 2020, our ESET fellows uncovered compromised versions of Able Desktop, a messaging application widely used in Mongolia in the “StealthyTrident” operation. In this campaign, Able Desktop was used to drop several implants, including PlugX, Tmanger and HyperBro, known to be a part of the LuckyMouse tool set.”
Trend Micro also reported that Zoho and Exchange email servers were also being targeted. In February 2022, ZDNet published an article detailing how Linux malware variants were increasingly targeting enterprises.
This trend still seems to be continuing and is likely partly driven by enterprises switching to cloud infrastructure that is often built on serverless Linux instances.
For cyber espionage groups, this shift presents a unique opportunity to steal valuable information if cloud infrastructure is not properly secured.
Further, hybrid working environments that feature staff working from home have increased the need for cloud solutions to act as the enterprise's central nervous system in a sense.
This too allows threat actors added avenues of attack, all that is required is the malware capable of targeting cloud instances. Unfortunately, we are already seeing this in the wild.