Budworm hackers target U.S. organizations with new espionage attacks
Notorious cyber espionage group Budworm has launched deliberate attacks against a number of high-profile targets, including a U.S. state legislature, a Middle Eastern country and a multinational electronics manufacturer.
The attack on the unnamed U.S. state legislatures marks the first time in several years that Budworm has targeted a U.S.-based entity.
According to the Symantec Threat Hunter team, the Budworm gang exploited the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105). The exploited flaws were used to compromise the Apache Tomcat service on servers in order to install web shells. The attackers used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.
“Budworm’s main payload continues to be the HyperBro malware family, which is often loaded using a technique known as dynamic-link library (DLL) side-loading. This involves the attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application (having installed it themselves). The legitimate application then loads and executes the payload,” the report disclosed.
For the most recent attacks, Budworm used the endpoint privilege management software CyberArk Viewfinity to carry out side-loading. The binary has the default name vf_host.exe and is usually left behind by the attackers to disguise itself as a more harmless file.
Although the attackers use the PlugX/Korplug trojan as payload, other tools used during attacks include Cobalt Strike, LaZagne, IOX, Fast Reverse Proxy (FRP), and Fscan.
Cobalt Strike is an off-the-shelf tool used to load shellcode onto victim machines. Although it is a legitimate penetration testing tool, it can be exploited by threat actors. LaZagne is a publicly available credential dumping tool. IOX is a publicly available proxy and port forwarding tool. Fast Reverse Proxy (FRP) is a reverse proxy tool, while Fscan is a publicly available intranet scanning tool.
Adequate security measures are essential to mitigate attacks. Organizations must use the latest patch and install it on their servers. It is also important that organizations conduct periodic pen tests to detect exploitable vulnerabilities in their organizations, as this can allow attackers initial access to any organization.
The sources for this piece include an article in TheHackerNews.