Lucky Mouse threat group launches Linux malware toolkit called SysUpdate for targeted attacks
Lucky Mouse develops Linux version of SysUpdate malware toolkit
The notorious Lucky Mouse threat group has launched a new Linux version of its SysUpdate malware toolkit, expanding its reach to target devices running on this operating system. Cybersecurity firm Trend Micro reported the earliest known version of this updated artifact dates back to July 2022, with new features designed to evade security software and resist reverse engineering. The group, also known as APT27, Bronze Union, Emissary Panda, and Iron Tiger, has been utilizing a variety of malware, including SysUpdate, HyperBro, PlugX, and a Linux backdoor named rshell.
Over the past two years, Lucky Mouse has been orchestrating campaigns that embrace supply chain compromises of legitimate apps, such as Able Desktop and MiMi Chat, to obtain remote access to compromised systems. The group’s targets have included a gambling company in the Philippines, a sector that has repeatedly come under attack from Iron Tiger since 2019.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Windows version of SysUpdate can manage processes, take screenshots, and execute commands
While the exact infection vector used in the attack is unknown, it appears that the group has used installers disguised as messaging apps like Youdu as lures to activate the attack sequence. The Windows version of SysUpdate comes with several features to manage processes, take screenshots, carry out file operations, and execute arbitrary commands. It can also communicate with command-and-control servers via DNS TXT requests, a technique known as DNS tunneling. The development also marks the first time that a threat actor has been detected weaponizing a sideloading vulnerability in a Wazuh signed executable to deploy SysUpdate on Windows machines.
The Linux ELF samples, written in C++, are notable for using the Asio library to port the file handling functions, indicating that the adversary is looking to add cross-platform support for the malware. As rshell is already capable of running on Linux and macOS, Trend Micro has warned of the possibility that SysUpdate could have a macOS version in the future.
Trending: Security Engineer vs. Software Engineer
Trending: Offensive Security Tool: SQLMutant
Custom Chrome password and cookie grabber also included in the toolkit
One tool of note is a custom Chrome password and cookie grabber that comes with features to harvest cookies and passwords stored in the web browser. Security researcher Daniel Lunghi confirmed that Lucky Mouse regularly updates its tools to add new features and probably to ease their portability to other platforms. He added that this development “corroborates this threat actor’s interest in the gambling industry and the Southeast Asia region.”
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
