28 Sept 2023
Hackers targeted a Middle Eastern telecom organization and an Asian government in a recent spying operation, according to a report published Thursday.
The hacking group Budworm, also known as Emissary Panda and APT27, is believed to be based in China. Last year, it attacked a U.S. state legislature using a Log4j vulnerability.
In its most recent campaign in August, Budworm used a previously unseen version of its custom backdoor called SysUpdate to spy on the unnamed telecom company Asian government body, as reported by Symantec researchers
SysUpdate is “a feature-rich” backdoor that can delete services, take screenshots, rename and download files, and execute commands on targeted devices.
Besides SysUpdate, the group also used publicly available tools during the August attacks, including PasswordDumperm for extracting passwords, Curl for data transfers, and SecretsDump for retrieving secrets from remote computers.
Budworm has been active since at least 2013, primarily focusing on espionage campaigns, according to Symantec. The group is known for targeting high-value victims in Southeast Asia, the Middle East, and the U.S., with a focus on organizations in government, technology, and defense sectors.
While researchers didn't directly attribute this campaign to China, Dick O’Brien, Symantec's principal intelligence analyst, previously told Recorded Future News that there's a "general consensus" that APT27 hackers are based in China.