SysUpdate Malware

The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system.

The oldest version of the updated artifact dates back to July 2022, with the malware incorporating new features designed to evade security software and resist reverse engineering.

Cybersecurity company Trend Micro said it observed the equivalent Windows variant in June 2022, nearly one month after the command-and-control (C2) infrastructure was set up.

Lucky Mouse is also tracked under the monikers APT27, Bronze Union, Emissary Panda, and Iron Tiger, and is known to utilize a variety of malware such as SysUpdate, HyperBro, PlugX, and a Linux backdoor dubbed rshell.

Over the past two years, campaigns orchestrated by the threat group have embraced supply chain compromises of legitimate apps like Able Desktop and MiMi Chat to obtain remote access to compromised systems.

In October 2022, Intrinsec detailed an attack on a French company that utilized ProxyLogon vulnerabilities in Microsoft Exchange Server to deliver HyperBro as part of a months-long operation that exfiltrated "gigabytes of data."

The targets of the latest campaign include a gambling company in the Philippines, a sector that has repeatedly come under onslaught from Iron Tiger since 2019.

SysUpdate Malware

The exact infection vector used in the attack is unclear, but signs point to the use of installers masquerading as messaging apps like Youdu as lures to activate the attack sequence.

As for the Windows version of SysUpdate, it comes with features to manage processes, take screenshots, carry out file operations, and execute arbitrary commands. It's also capable of communicating with C2 servers via DNS TXT requests, a technique called DNS Tunneling.

The development also marks the first time a threat actor has been detected weaponizing a sideloading vulnerability in a Wazuh signed executable to deploy SysUpdate on Windows machines.

Are your security controls 🛡️ effective? Join us for our upcoming webinar and find out how to prevent zero-day security events from unknown files.

The Linux ELF samples, written in C++, are notable for using the Asio library to port the file handling functions, indicating that the adversary is looking to add cross-platform support for the malware.

Given that rshell is already capable of running on Linux and macOS, the possibility that SysUpdate could have a macOS flavor in the future cannot be discounted, Trend Micro said.

Another tool of note is a custom Chrome password and cookie grabber that comes with features to harvest cookies and passwords stored in the web browser.

"This investigation confirms that Iron Tiger regularly updates its tools to add new features and probably to ease their portability to other platforms," security researcher Daniel Lunghi said, adding it "corroborates this threat actor's interest in the gambling industry and the South East Asia region."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.