Hacking group APT27, aka “Iron Tiger”, has prepared a new Linux version of its custom remote access malware SysUpdate, allowing the Chinese cyber-espionage group to target more services used in the enterprise.

According to a new report from Trend Microhackers first tested the Linux version in July 2022. However, it wasn’t until October 2022 that several payloads started circulating in the wild.

The new malware variant is written in C++ using the Asio library, and its functionality is very similar to the Windows version of Iron Tiger’s SysUpdate.

The threat actor’s interest in extending the scope of the targeting to systems beyond Windows has become apparent last summer when SEKOIA and Trend Micro reported seeing APT27 targeting Linux and macOS systems using a new backdoor codenamed “rshell”.

APT27’s latest campaign

The SysUpdate campaign observed and analyzed by Trend Micro deployed both Windows and Linux samples to valid targets.

One of the victims of this campaign was a gaming company in the Philippines, whose attack used a command-and-control server registered with a domain similar to the victim’s brand.

The infection vector is unknown, but Trend Micro analysts speculate that the chat apps were used as decoys to trick employees into downloading the initial infection payloads.

One element that has evolved from previous SysUpdate-based campaigns is the loading process, which now uses a legitimate, digitally signed “Microsoft Resource Compiler” executable (rc.exe) to sideload DLLs with rc.dll to load the shellcode.

The shellcode loads the first stage of SysUpdate into memory, so it’s hard for AVs to detect. Then it moves the required files to a hardcoded folder and establishes persistence with registry changes or by creating a service, depending on process permissions.

The second stage will launch after the next system reboot to unpack and load the main SysUpdate payload.

SysUpdate is a feature-rich remote access tool allowing a malicious actor to perform a variety of malicious behaviors as listed below:

• Services Manager (lists, starts, stops and deletes services)
• Screenshot
• Process manager (walks through and terminates processes)
• Retrieving drive information
• File manager (search, delete, rename, upload, download file and browse directory)
• Execution of the command

Trend Micro comments that Iron Tiger used a signed Wazuh executable during later sideloading stages to blend into the victim’s environment, as the target organization was using the legitimate Wazuh platform.

New Linux version of SysUpdate

The Linux variant of SysUpdate is an ELF executable and shares common network encryption keys and file management functions with its Windows counterpart.

The binary supports five settings that determine what the malware should do next: set persistence, demonize the process, set a GUID (Globally Unique Identifier) ​​for the infected system, and more.

The malware establishes persistence by copying a script to the “/usr/lib/systemd/system/” directory, an action that requires root user privileges.

When launched, it sends the following information to the C2 server:

• GUID (chosen randomly if its parameter has not been used previously)
• host name
• username
• Local IP address and port used to send the request
• Current PID
• Kernel version and machine architecture
• Current file path
• Boolean (0 if launched with exactly one parameter, 1 otherwise)

A new feature of the Linux SysUpdate variant is DNS tunneling, seen only on a Windows sample of the malware.

SysUpdate obtains DNS information from the “/etc/resolv.conf” file to retrieve the default system DNS IP address that can be used to send and receive DNS queries. If that fails, it uses Google’s DNS server at 8.8.8.8.

The idea of ​​this system is to bypass any firewalls or network security tools that might be configured to block all traffic beyond a specific list of IP addresses.

Trend Micro indicates that the choice of the Asio library to develop the Linux version of SysUpdate could be due to its cross-platform portability and predicts that a macOS version of the malware could soon appear in the wild.