Iron Tiger hackers distribute Linux version of their SysUpdate malware

The APT27 hacker group, also known as “Iron Tiger” (“Iron Tiger”), has prepared a new version of its SysUpdate malware for linux. The remote access program allows attackers to target more services in use in the enterprise.

According to new report Trend Micro, hackers first tested the Linux version of the software in July 2022. However, it wasn’t until October 2022 that a few payloads started showing up in the wild (ITW).

The new malware variant is written in C++ using the Asio library. And its functionality, in general, is very similar to the Windows version of SysUpdate.

The attacker’s interest in expanding the scope of attacks beyond Windows became apparent last summer when companies SEKOIA and Trend Micro reported ( 1 , 2 ) that Iron Tiger hackers attacked Linux and macOS systems using a new backdoor called “rshell”.

In Iron Tiger’s latest campaign, malware samples were deployed to Windows and Linux systems using SysUpdate.

One of the victims of this campaign was a gambling company in the Philippines, which was attacked using C2 serverregistered in a domain similar to the victim’s brand, which made it very difficult to identify a cyberattack.

The infection vector is unknown, but analysts Trend Micro suggest that the chat apps were used as bait to trick employees into downloading the initial infection payload.

The SysUpdate download process has somewhat evolved from past malware campaigns. Hackers now use a legitimate “Microsoft Resource Compiler” executable (rc.exe) with a digital signature to perform DLL sideloading (DLL Sideloading).

The shellcode loads the first stage of SysUpdate into RAM, making it difficult for antiviruses to detect it. It then moves the required files to a programmed system folder and establishes persistence by modifying the registry or by adding a separate service, depending on the permissions of the process.

The second step is run after the next system reboot to unpack and download the main SysUpdate payload.

SysUpdate infection chain

SysUpdate is a feature-packed remote access tool that allows an attacker to perform various malicious actions as listed below:

• service manager (lists, starts, stops, adds and removes services);
• file manager (finds, deletes, renames, downloads, uploads files and browses directories);
• process manager (views and terminates processes);
• taking screenshots;
• getting disk information;
• execution of commands.

The Linux version of SysUpdate is an ELF executable and shares network encryption keys and file handling functions with its Windows counterpart. The binary file supports five options that determine what the malware should do next: setting persistence, daemonizing the process, setting a GUID (globally unique identifier) ​​for the infected system, and so on.

One of the new features of the Linux variant of SysUpdate is DNS tunneling. The malware obtains DNS information from the “/etc/resolv.conf” file in order to extract the default system DNS IP address, which can be used to send and receive DNS requests. If this fails, the malware uses the Google DNS server at 8.8.8.8. Such a system can help malware bypass firewalls or network security tools that can be configured to block all traffic beyond a certain list of allowed IP addresses.

Trend Micro says that the choice of the Asio library to develop the Linux version of SysUpdate may be due to its multi-platform portability, and predicts that a macOS version of SysUpdate may soon appear in the wild as well.