The Chinese cyberespionage organization APT27, also known as “Iron Tiger,” has created a new Linux version of its SysUpdate bespoke remote access malware, enabling it to target more services used by businesses.
The Linux version was first put to the test by hackers in July 2022, according to a recent Trend Micro report. Unfortunately, many payloads didn’t start spreading in the wild until October 2022.
The new malware variant is remarkably similar to Iron Tiger’s Windows version of SysUpdate in terms of functionality and is developed in C++ utilizing the Asio library.
When SEKOIA and Trend Micro reported finding APT27 targeting Linux and macOS computers using a new backdoor dubbed “rshell” last summer, it became clear that the threat actor was interested in broadening the targeting reach to platforms other than Windows.
The Trend Micro-researched SysUpdate campaign used both Windows and Linux malware against legitimate targets.
A gaming business in the Philippines was one of the victims of this campaign, and the attack used a command and control server registered with a domain similar to the victim’s brand.
Trend Micro’s analysts speculate that chat apps were utilized as enticements to deceive staff into downloading early malware payloads despite the unclear infection vector.