APT27 Develops Linux Version of their Malware

Chinese advanced persistent threat group, APT27, also known as Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, or TG-3390, is now developing Linux version of their custom malware payloads. The group is best known for its cyber espionage abilities by leveraging custom malware packages. With the move to developing Linux versions, security researchers believe they will be able to better target enterprise network solutions built on the operating system.

In a report published by security firm Trend Micro, the new Linux version APT27’s SysUpdate malware was tested in July 2022 and samples began being distributed in the wild in October 2022.

apt27 developed linux malware

The new malware variant is written in C++ using the Asio library, and its functionality is very similar to Iron Tiger's Windows version of SysUpdate.

Not only has the group added the ability to target Linux machines but have added new features to the malware family.

In the campaigns witnessed by security researchers both the Windows and Linux versions were dropped in payloads against victims.

One such victim was a gambling company in the Philippines, where threat actors used a command and control server registered with a domain similar to that of the victim. Trend Micro summarised the attack chain as follows:

  • Apr. 2, 2022: Registration of the domain name linked to our oldest Windows sample of SysUpdate
  • May 11, 2022: The command and control (C&C) infrastructure was set up.
  • June 8, 2022: While this could have been tampered with, observed compilation date of our oldest Windows sample.
  • July 20, 2022: Oldest Windows sample gets uploaded to Virus Total
  • Oct. 24, 2022: Oldest Linux sample gets uploaded to Virus Total

Currently, researchers are not sure as to how APT27 got initial access into the victim’s infrastructure. It is believed that chat apps were used as lures to trick employees into downloading initial infection payloads and then later the SysUpdate malware was dropped once initial access was gained.

SysUpdate itself has evolved beyond the creation of a Linux variant, now the malware uses a legitimate and digitally-signed "Microsoft Resource Compiler" executable (rc.exe) to perform DLL side-loading with rc.dll to load shellcode.

Further, the malware is hard to detect by anti-virus products as the first stage of the malware’s deployment is done in memory. As for the malware’s other features, they are similar to previous versions, and include the following abilities:

  • Service manager (lists, starts, stops, and deletes services)
  • Screenshot grab
  • Process manager (browses and terminates processes)
  • Drive information retrieval
  • File manager (finds, deletes, renames, uploads, downloads a file, and browses a directory)
  • Command execution

As for the Linux version of SysUpdate, researchers noted,

“While investigating SysUpdate’s infrastructure, we found some ELF files linked to some C&C servers. We analyzed them and concluded that the files were a SysUpdate version made for the Linux platform. The ELF samples were also written in C++, made use of the Asio library, shared common network encryption keys, and had many similar features. For example, the file handling functions are almost the same. It is possible that the developer made use of the Asio library because of its portability across multiple platforms.”

APT27’s Push to Cover all Operating Systems

The development of a Linux version of SysUpdate is not APT27’s first rodeo in creating cross-platform malware. In August 2022, SEKOIA's Threat & Detection Research Team discovered that an instant messenger app known as 'MiMi' have been trojanized to deliver a new backdoor.

The app is predominantly used in China and researchers discovered that the app could be weaponized to steal information from Linux and macOS systems. Trend Micro also reported on the weaponization of the instant messaging app and also attributed it to APT27. SEKOIA researchers noted,

“At this stage, SEKOIA is not able to assess the objective of this campaign. As this application’s use in China appears low, it is plausible it was developed as a targeted surveillance tool. It is also likely that, following social engineering carried out by the operators, targeted users are encouraged to download this application, purportedly to circumvent Chinese authorities’ censorship…This is not the first time a messaging application dropping an implant connecting to the LuckyMouse infrastructure is observed. In 2020, our ESET fellows uncovered compromised versions of Able Desktop, a messaging application widely used in Mongolia in the “StealthyTrident” operation. In this campaign, Able Desktop was used to drop several implants, including PlugX, Tmanger and HyperBro, known to be a part of the LuckyMouse tool set.”

Trend Micro also reported that Zoho and Exchange email servers were also being targeted. In February 2022, ZDNet published an article detailing how Linux malware variants were increasingly targeting enterprises.

This trend still seems to be continuing and is likely partly driven by enterprises switching to cloud infrastructure that is often built on serverless Linux instances.

For cyber espionage groups, this shift presents a unique opportunity to steal valuable information if cloud infrastructure is not properly secured.

Further, hybrid working environments that feature staff working from home have increased the need for cloud solutions to act as the enterprise's central nervous system in a sense.

This too allows threat actors added avenues of attack, all that is required is the malware capable of targeting cloud instances. Unfortunately, we are already seeing this in the wild.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal