BTC $63106.6694
ETH $3487.9438
BNB $414.1963
SOL $130.3204
XRP $0.6266
ADA $0.7278
DOGE $0.1539
AVAX $42.5755
DOT $9.7892
wstETH $4037.4917
TRX $0.1406
LINK $20.4990
WETH $3499.8168
UNI $12.6173
MATIC $1.0884
WBTC $63001.9284
BCH $469.6209
LTC $90.6161
IMX $3.3186
ICP $13.1704
FIL $10.4844
CAKE $3.3134
ETC $33.5274
LEO $4.7930
RNDR $7.5543
ATOM $12.1588
TON $2.6746
KAS $0.1670
HBAR $0.1129
INJ $40.6985
DAI $0.9987
OKB $58.1613
VET $0.0490
FDUSD $0.9985
WEMIX $2.8142
STX $3.0406
XMR $150.5516
XLM $0.1355
GRT $0.3198
NEAR $4.4292
LDO $3.3186
ARB $2.0442
PEPE $0.0000
THETA $2.3783
TIA $16.3918
ENS $22.1565
CRO $0.1418
BTC $63106.6694
ETH $3487.9438
BNB $414.1963
SOL $130.3204
XRP $0.6266
ADA $0.7278
DOGE $0.1539
AVAX $42.5755
DOT $9.7892
wstETH $4037.4917
TRX $0.1406
LINK $20.4990
WETH $3499.8168
UNI $12.6173
MATIC $1.0884
WBTC $63001.9284
BCH $469.6209
LTC $90.6161
IMX $3.3186
ICP $13.1704
FIL $10.4844
CAKE $3.3134
ETC $33.5274
LEO $4.7930
RNDR $7.5543
ATOM $12.1588
TON $2.6746
KAS $0.1670
HBAR $0.1129
INJ $40.6985
DAI $0.9987
OKB $58.1613
VET $0.0490
FDUSD $0.9985
WEMIX $2.8142
STX $3.0406
XMR $150.5516
XLM $0.1355
GRT $0.3198
NEAR $4.4292
LDO $3.3186
ARB $2.0442
PEPE $0.0000
THETA $2.3783
TIA $16.3918
ENS $22.1565
CRO $0.1418
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Iron Tiger hackers distribute Linux version of their SysUpdate malware

    v

    Hackers first tested the Linux version of the software in July 2022, according to a new Trend Micro report. However, it wasn't until October 2022 that a few payloads started showing up in the wild (ITW).

    The new malware variant is written in C++ using the Asio library. And its functionality, in general, is very similar to the Windows version of SysUpdate.

    The attacker's interest in expanding the scope of attacks beyond Windows became evident last summer when SEKOIA and Trend Micro reported that Iron Tiger hackers attacked Linux and macOS systems using a new backdoor called "rshell".

    In Iron Tiger's latest campaign, malware samples were deployed to Windows and Linux systems using SysUpdate.

    One of the victims of this campaign was a gambling company in the Philippines, which was attacked using a C2 server registered in a domain similar to the victim's brand, which made it very difficult to identify a cyber attack.

    The infection vector is unknown, but Trend Micro analysts suggest that the chat apps were used as a decoy to trick employees into downloading the initial infection payload.

    The SysUpdate download process has somewhat evolved from past malware campaigns. Hackers are now using a legitimate "Microsoft Resource Compiler" executable (rc.exe) with a digital signature to perform DLL Sideloading.

    The shellcode loads the first stage of SysUpdate into RAM, making it difficult for antiviruses to detect it. It then moves the required files to a programmed system folder and establishes persistence by modifying the registry or by adding a separate service, depending on the permissions of the process.

    The second step is run after the next system reboot to unpack and download the main SysUpdate payload.

    SysUpdate is a multifunctional remote access tool that allows a hacker to perform various malicious actions as listed below:

    • service manager (lists, starts, stops, adds and removes services);
    • file manager (finds, deletes, renames, uploads files and browses directories);
    • process manager (views and terminates processes);
    • taking screenshots;
    • getting disk information;
    • execution of commands.

    The Linux version of SysUpdate is an ELF executable and shares network encryption keys and file handling functions with its Windows counterpart. The binary file supports five options that determine what the malware should do next: setting persistence, daemonizing the process, setting a GUID (globally unique identifier) for the infected system, and so on.

    One of the new features of the Linux variant of SysUpdate is DNS tunneling. The malware obtains DNS information from the "/etc/resolv.conf" file in order to extract the default system DNS IP address, which can be used to send and receive DNS requests. If this fails, the malware uses the Google DNS server at 8.8.8.8. Such a system can help malware bypass firewalls or network security tools that can be configured to block all traffic beyond a certain list of allowed IP addresses.

    Trend Micro says that the choice of the Asio library to develop the Linux version of SysUpdate may be due to its multi-platform portability, and predicts that a macOS version of SysUpdate may soon appear in the wild as well.

    Author DeepWeb
    Clop hackers enter ransomware phase after massive GoAnywhere hack
    Attackers are increasingly using AI in social engineering attacks

    Comments 0

    Add comment