Lucky Mouse creates Linux version of SysUpdate malware

March 16, 2023 - TuxCare PR Team

Lucky Mouse, a cyber threat group, has created a Linux version of the malware called SysUpdate, increasing its ability to attack devices that use the operating system.

This latest campaign, according to Trend Micro researchers, involved the distribution of both Linux and Windows variants of SysUpdate against a variety of targets, including a Philippines-based gambling firm. According to reports, the attacker registered the oldest domain name one month before beginning the C&C configuration and then waited another month before compiling the malicious sample linked to that domain name.

Both the Linux and Windows versions of SysUpdate have the same file-handling functions and network encryption keys. Researchers added that attackers have added DNS tunneling in the malware’s Linux variant, enabling firewall and network security tool bypass.

This new version is similar to the 2021 version, with the exception that the C++ run-time type information (RTTI) classes we saw in 2021 have been removed, and the code structure has been changed to use the ASIO C++ asynchronous library. Both changes lengthen the time it takes to reverse engineer the samples. We strongly advise organizations and users in the targeted industries to strengthen their security measures in order to protect their systems and data from this ongoing campaign.

The exact infection vector used in the attack is unknown, but evidence suggests that installers disguised as messaging apps like Youdu were used as lures to activate the attack sequence. The Windows version of SysUpdate includes features for managing processes, taking screenshots, performing file operations, and running arbitrary commands. It can also communicate with C2 servers via DNS TXT requests, a method known as DNS Tunneling.

To load the process, the attacker runs rc.exe, a legitimate “Microsoft Resource Compiler” signed file , which is vulnerable to a DLL side-loading vulnerability, and loads a file named rc.dll. Then the malicious rc.dll loads a file named rc.bin in memory. The rc.bin file contains Shikata Ga Nai encoded shellcode for decompressing and loading the first stage into memory. Different actions are taken depending on the number of command line parameters.

Some of these actions include using zero or two parameters to install malware in the system and then calling Stage 1 again using process hollowing with four parameters. The one parameter that is the same as the previous action but does not require installation. And the four parameters that generate a memory section containing the DES-encrypted malware configuration as well as a second Shikata Ga Nai shellcode decompression and loading stage 2. It then proceeds to Stage 2 via the process hollowing.

The “installation” step, in which the malware transports the files to a hardcoded folder, is deemed simple. Depending on the process’s privileges, the malware generates a registry key or a service that starts up the relocated executable rc.exe with a single parameter. This guarantees that the malware is started up during the next reboot, bypassing the installation stage.

The sources for this piece include an article in TheHackerNews.

Summary