Novel Linux version of APT27’s SysUpdate malware emerges

Chinese cyberespionage operation APT27, also known as Iron Tiger, has begun leveraging the new Linux version of its SysUpdate remote access trojan in its attacks, according to BleepingComputer. Trend Micro researchers revealed that APT27's latest campaign involved the distribution of both Linux and Windows variants of SysUpdate against numerous targets, including a Philippines-based gambling firm. Both Linux and Windows variants of SysUpdate were discovered to have the same file-handling functions and network encryption keys. However, attackers have added DNS tunneling in the malware's Linux variant, enabling firewall and network security tool bypass, researchers added. APT27 is believed to have leveraged chat apps as lures to facilitate the initial infection payloads, while the second stage of the attack launches following the next system reboot to enable primary SysUpdate payload loading. The report also noted the succeeding side-loading stages involved APT27 using a Wazuh-signed executable to blend in with the targeted environment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.