Budworm Espionage Group Returns, Targets US State Legislature

Written by

The advanced persistent threat (APT) actor known as Budworm has been spotted targeting a US-based entity for the first time in more than six years, alongside other international targets.

The news comes from Symantec security researchers, who shared an advisory about the attacks with Infosecurity before publication.

According to the new data, Budworm executed attacks over the past six months against several strategically significant targets, including a Middle Eastern country’s government, a multinational electronics manufacturer, a hospital in South East Asia and a US state legislature.

“While there were frequent reports of Budworm targeting US organizations six to eight years ago, in more recent years, the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe,” reads the advisory.

In the latest attacks, Budworm leveraged the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to compromise the Apache Tomcat service on servers to install web shells. The attackers reportedly used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command and control (C&C) servers.

Symantec also explained that Budworm continued to rely on the HyperBro malware family as its primary payload, which is often delivered using a dynamic-link library (DLL) side-loading technique. 

“In recent attacks, Budworm has used the endpoint privilege management software CyberArk Viewfinity to perform side-loading,” the security researchers wrote in the advisory.

“The binary, which has the default name vf_host.exe, is usually renamed by the attackers in order to masquerade as a more innocuous file.”

In some cases, however, the HyperBro backdoor was loaded with its own HyperBro loader, also designed to load malicious DLLs and encrypt payloads.

“This is the second time in recent months, Budworm has been linked to attacks against a US-based target,” Symantec wrote, warning companies against the APT’s potential change of tactics.

“A recent CISA report on multiple APT groups attacking a defense sector organization mentioned Budworm’s toolset. A resumption of attacks against US-based targets could signal a change in focus for the group.”

For indicators of compromise (IoC) and additional information about the latest Budworm campaign, the Symantec advisory is now publicly available at this link.

What’s hot on Infosecurity Magazine?