A known espionage group was recently observed leveraging the Log4j vulnerability to target a number of high-value organizations worldwide, including an unnamed U.S.-based state legislature.
While over the past years, researchers have noted the Budworm group moving into more financially motivated cybercrimes that have involved the use of ransomware and targeted major gaming companies, in attacks over the past six months, Budworm was seen pivoting to attack a number of “strategically significant targets,” including the government of a Middle Eastern country, a global electronics manufacturer, a hospital in South East Asia and a U.S.-based entity. The latter is significant because it is the second time in recent months Budworm was linked to attacks against a U.S.-based target, said Symantec researchers.
“While there were frequent reports of Budworm targeting U.S. organizations six to eight years ago, in more recent years the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe,” said researchers with Symantec in a Thursday analysis. “A resumption of attacks against U.S.-based targets could signal a change in focus for the group.”
These recent attacks relied on the known Log4j flaws (CVE-2021-44228 and CVE-2021-45105) - which according to a recent report by the Cybersecurity and Infrastructure Security Agency (CISA) have been one of the top exploited flaws by Chinese threat actors since 2020 - in order to compromise the Apache Tomcat service and ultimately install webshells on compromised target networks.
As has been seen in previous attacks, Budworm’s main payload is the HyperBro malware family, which is a remote access trojan (RAT) that can log keystrokes, execute commands, and create a backdoor program with the abilities to upload and download files (the Plugx/Korplug trojan was also sometimes used as an alternate payload).
"The most likely reason we're seeing attacks against the U.S. is a shift in strategic priorities.”
HyperBro was recently highlighted by CISA in a report after the agency found samples of the malware on an unnamed Defense Industrial Base sector organization.
Researchers said that HyperBro in some cases has been loaded with its own loader (under the file names peloader.exe, 12.exe) that is designed to load malicious DLLs and encrypt payloads. However, in other cases the malware is loaded using DLL side-loading, where attackers put a malicious DLL in a directory in lieu of a legitimate DLL, and then runs the application in order to load and execute the payload.
“In recent attacks, Budworm has used the endpoint privilege management software CyberArk Viewfinity to perform side-loading,” said researchers. “The binary, which has the default name vf_host.exe, is usually renamed by the attackers in order to masquerade as a more innocuous file. Masqueraded names included securityhealthservice.exe, secu.exe, vfhost.exe, vxhost.exe, vx.exe, and v.exe.”
Budworm also used a variety of known tools across its recent attacks, including Cobalt Strike, as well as tools that are newer for the threat group, including publicly available credential dumping tool LaZagne, proxy and port-forwarding tool IOX, the Fast Reverse Proxy tool and intranet scanning tool Fscan.
The China-linked Budworm group, which has activity overlaps with threat clusters tracked by others as APT27 or Emissary Panda, has been observed since at least 2013 targeting government, technology, and manufacturing organizations to collect political or military information.
Dick O’Brien, principal intelligence analyst for the Symantec threat hunter team, said the end goal of these more attacks appears to be information theft and that Budworm is usually “quite selective in who they target.”
“We don't believe these attacks are opportunistic,” said O’Brien. “The infection vectors we are aware of are common globally and we've seen them attack organizations in other regions. The most likely reason we're seeing attacks against the U.S. is a shift in strategic priorities.”