Research on the Budworm espionage group.
N2K logoOct 13, 2022

The Symantec Threat Hunter Team, part of Broadcom Software, has released a blog discussing the tactics and toolset of the Budworm espionage group.

Research on the Budworm espionage group.

The Symantec Threat Hunter Team, part of Broadcom Software, has released a blog today detailing the Budworm espionage group. The group has been seen targeting a Middle Eastern government, a multinational electronics manufacturer, a US state legislature, and a hospital in Southeast Asia.

Budworm's current modus operandi.

Budworm has been observed leveraging Log4j vulnerabilities to compromise the Apache Tomcat service so web shells could be installed. Budworm primarily utilizes the HyperBro malware family, often loaded through dynamic-link library (DLL) side-loading. This involves attackers placing a malicious DLL file where a legitimate one can be expected. The payload is executed when the application runs.

Budworm has also been seen using CyberArk Viewfinity, an endpoint privilege management tool, to side-load. While HyperBro has been Budworm's primary choice recently, researchers have also observed the PlugX/Korplug Trojan in use. Other tools the group has recently been seen using include Cobalt Strike (a legitimate pentesting tool that can be exploited to load shellcode onto victim’s devices), LaZagne (a credential dumping tool), IOX (a proxy and port-forwarding tool), Fast Reverse Proxy (or FRP, a reverse proxy tool), and Fscan (an Internet scanning tool).

Budworm’s target list.

The group has historically primarily targeted Asia, the Middle East, and Europe, but has now for the second time been linked to an attack on a US target, Researchers say that a shift to US targets could mean a directional change for Budworm.

Also known as APT27 or Emissary Panda, Budworm is generally believed, according to the Hacker News and others, to operate on behalf of the Chinese government.

Industry observations on nation-state cyberespionage campaigns.

Added 10.13.22.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the ways in which intelligence services have added private organizations to their target lists:

"This is the current state of affairs: every sufficiently capable nation is committing unauthorized actions on its adversaries. What's changed in the last decade is how these nation-state actions are in both quantity, impact, and number of targets. In the past, most nation-state actors compromised targets associated with their adversary's government and military. Now, today, the most common nation-state target is traditional organizations not directly aligned with governments or the military, although certainly governments and militaries are still greatly targeted.

"Nation-state attacks will continue unabated until all the important nations agree to a digital-equivalent Geneva Conventions, agreeing to what is allowed and not allowed in the digital realm against each other. The UN and many of the UN members have been trying to get this done for decades. At times it seems we are closer than we were in the past to getting a global agreement on what will always be considered a cybercrime and what is supposedly off limits for all adversaries only for the strong disagreement of a few members (usually China and Russia, who coincidentally are often attributed to a large percentage of cyber attacks) to derail any agreement. We sit decades later with more capability than ever and nothing to reign in any nation-state but its own objectives and ethics. As long as this is true we will continue to see vast amounts of cybercrime committed by one nation against another."

Chris Clements, VP of solutions architecture at cybersecurity company Cerberus Sentinel, summarized some of the ways in which attacks by intelligence and security services differ from those carried out by ordinary criminal gangs:

“Cyberattacks originating from nation states have many distinguishing features from those of run-of-the-mill cybercrime groups. First, their attacks are usually more strategic in nature, picking specific targets and information as objectives. This differs from general cybercriminal activities which are much more opportunistic in nature where the target itself isn’t particularly important, just that they can easily compromise it. Second, because the goals of nation state actors align more with traditional espionage objectives like data theft or sabotage, those threat actors take more care to avoid detection to conceal their presence for as long as possible. It’s interesting to me that such operations are often called 'cyberwar' when 'cyberespionage' seems to be a more fitting term. Contrast these activities with general cybercrime operations that are much more akin to 'smash-and-grab' thefts where getting in and out quickly with as much as they can carry is the norm. These differences can help organizations to better tailor their defensive strategies. 

"An organization without a strategic purpose for an adversary to target will be much less likely to find themselves the focus of nation-state level campaigns, but those who are or are simply unlucky will face a much more well equipped and sophisticated adversary. Still, it’s important to realize that the vast sums of money that modern ransomware gangs have been able to extort from their victims has given them vastly more resources to improve their operations as well. Zero day exploits once thought to be solely the purview of nation-state level actors are now well within reach for cybercrime gangs with millions of dollars to budget towards purchase or in-house development of offensive tooling. It results in a situation where no matter what kind of adversary you find yourself being targeted by, you need to ensure that you have a dedicated plan for resiliency and this is best achieved through adopting a cultural approach to cybersecurity. It really must come from the highest levels of executive management and flow into the operations of every line of business with a focus on the fundamentals of cybersecurity such as hardening, attack surface minimization, regular testing, and continuous monitoring.”