threat actor known as lucky mouse developed a Linux version of its malware toolkit called SysUpdate to expand its ability to target devices running the operating system.
The oldest version of the updated artifact dates back to July 2022, and the malware incorporates new functionality designed to evade security software and resist reverse engineering.
Cybersecurity firm Trend Micro says it observed a comparable Windows variant in June 2022, about a month after the command and control (C2) infrastructure was set up.
Lucky Mouse has also been tracked under the names APT27, Bronze Union, Emissary Panda, and Iron Tiger, and is known to utilize a variety of malware, including SysUpdate, HyperBro, PlugX, and a Linux backdoor called rshell.
Over the past two years, campaigns orchestrated by threat groups have compromised the supply chain of legitimate apps such as Able Desktop and MiMi Chat to gain remote access to compromised systems.
In October 2022, Intrinsec detailed an attack against a French company that used a ProxyLogon vulnerability in Microsoft Exchange Server to distribute HyperBro as part of a multi-month operation that stole “gigabytes of data.” bottom.
Targets of the latest campaign include gambling companies in the Philippines, a sector that has been repeatedly attacked by Iron Tiger since 2019.
The exact infection vector used in the attack is unknown, but indications indicate that an installer masquerading as a messaging app like Youdu is being used as a decoy to activate the attack sequence.
As for the Windows version of SysUpdate, it has functions such as managing processes, taking screenshots, executing file operations, and executing arbitrary commands. It can also communicate with its C2 server via DNS TXT requests (a technique called DNS tunneling).
This development also marks the first detection of a threat actor weaponizing a sideloading vulnerability in Wazuh signed executables to deploy SysUpdate on Windows machines.
The Linux ELF sample, written in C++, is notable for porting its file handling functionality using the Asio library. This indicates that the attackers are trying to add cross-platform support for their malware.
Given that rshell can already run on Linux and macOS, the possibility of SysUpdate having a macOS flavor in the future cannot be ruled out, Trend Micro said.
Another tool of note is the custom Chrome password and cookie grabber, which has the ability to collect cookies and passwords stored in web browsers.
“This research confirms that Iron Tiger regularly updates their tools to add new features and possibly facilitate portability to other platforms,” said security researcher Daniel Lunghi. said, “It confirms this threat actor’s interest in the gambling industry and the Southeast Asian region.”
