Researchers predict the APT will expand capabilities to target other platforms and apps in the future. Credit: WhataWin / Getty Images Iron Tiger, an advanced persistent threat (APT) group, has updated their SysUpdate malware to include new features and add malware infection support for the Linux platform, according to a report by Trend Micro.The earliest sample of this version was observed in July 2022 and after finding multiple similar payloads in late October 2022, Trend Micro researchers started looking into it and found similarities with the SysUpdate malware family.Iron Tiger is a group of China-based threat actors who have been seen active since 2013. In their initial operations they were seen stealing terabytes of confidential data from employees of high-technology companies in the US. The group has made the loading logic of the latest malware variant complex to evade security solutions. The Linux SysUpdateThe latest malware variant is written in C++ using the Asio library, and its functionality is very similar to Iron Tiger’s Windows version of SysUpdate. SysUpdate malware has functions that can carry out system services, grab screenshots, browse and terminate processes, retrieve drive information, execute commands, and can find, delete, rename, upload, and download files as well as peruse a victim’s file directory, the Trend Micro report said. While investigating SysUpdate’s infrastructure, researchers found some ELF files linked to some command and control servers. “We analyzed them and concluded that the files were a SysUpdate version made for the Linux platform,” the report said. The ELF samples shared common network encryption keys and had many similar features such as the file handling functions. “It is possible that the developer made use of the Asio library because of its portability across multiple platforms,” the report said. In the Linux version there is an additional feature that carries out command and control communication through DNS TXT requests. “While DNS is not supposed to be a communication protocol, the attacker abuses this protocol to send and receive information,” the report said.While the initial infection vector is not known, it was observed by the researchers that chat apps were also used to lure and trick victims into downloading the infection payload. Once successfully downloaded, the malware sends back information such as GUID, host name, username, local IP address and port used to send the request, current PID, kernel version and machine architecture, and current file path to the command and control servers. One of the victims of this campaign was a gambling company in the Philippines, the report noted. The threat actor is known to target gambling industry and the South-East Asia region. Indicated interest in other platformsThe threat actor had already indicated its interest in platforms other than Windows. In 2022, Iron Tiger also known as APT 27, was seen targeting MacOS and Linux system with its malware family called rshell.Further updates of these tools are likely to come up in the future to accommodate other platforms and apps, according to the Trend Micro report. “The threat actor is likely to reuse the tools mentioned here in future campaigns that might target different regions or industries in the short and long term,” the report said. Related content news analysis Water system attacks spark calls for cybersecurity regulation The Iranian CyberAv3ngers group’s simplistic exploitation of Unitronics PLCs highlights the cybersecurity weaknesses in US water utilities, the need to get devices disconnected from the internet, and renewed interest in regulation. By Cynthia Brumfield Dec 11, 2023 11 mins Regulation Cyberattacks Critical Infrastructure feature Accenture takes an industrialized approach to safeguarding its cloud controls Security was once a hindrance for Accenture developers. But since centralizing the company's compliance controls, the process has never been simpler. By Aimee Chanthadavong Dec 11, 2023 8 mins Application Security Cloud Security Compliance news analysis LogoFAIL attack can inject malware in the firmware of many computers Researchers have shown how attackers can deliver malicious code into the UEFI of many PCs though BIOS splash screen graphics. By Lucian Constantin Dec 08, 2023 8 mins Malware Vulnerabilities news Google expands minimum security guidelines for third-party vendors Google's updated Minimum Viable Secure Product (MVSP) program offers advice for working with researchers and warns against vendors charging extra for basic security features. By John P. Mello Jr. Dec 08, 2023 4 mins Application Security Supply Chain Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe