- Qualcomm’s $2.4B Alphawave deal signals bold data center ambitions
- Is this the end of Intel-based Macs? Apple confirms bittersweet update policy for MacOS
- Your Apple MacBook is getting a free upgrade - here are the best MacOS 26 features
- “고객 53%에겐 독이 됐다”···가트너가 경고한 ‘수동적 개인화’ 마케팅의 역설
- The best iOS 26 features announced at WWDC: I'm updating my iPhone for these reasons
Budworm Espionage Group Returns, Targets US State Legislature
The advanced persistent threat (APT) actor known as Budworm has been spotted targeting a US-based entity for the first time in more than six years, alongside other international targets.
The news comes from Symantec security researchers, who shared an advisory about the attacks with Infosecurity before publication.
According to the new data, Budworm executed attacks over the past six months against several strategically significant targets, including a Middle Eastern country’s government, a multinational electronics manufacturer, a hospital in South East Asia and a US state legislature.
“While there were frequent reports of Budworm targeting US organizations six to eight years ago, in more recent years, the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe,” reads the advisory.
In the latest attacks, Budworm leveraged the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to compromise the Apache Tomcat service on servers to install web shells. The attackers reportedly used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command and control (C&C) servers.
Symantec also explained that Budworm continued to rely on the HyperBro malware family as its primary payload, which is often delivered using a dynamic-link library (DLL) side-loading technique.
“In recent attacks, Budworm has used the endpoint privilege management software CyberArk Viewfinity to perform side-loading,” the security researchers wrote in the advisory.
“The binary, which has the default name vf_host.exe, is usually renamed by the attackers in order to masquerade as a more innocuous file.”
In some cases, however, the HyperBro backdoor was loaded with its own HyperBro loader, also designed to load malicious DLLs and encrypt payloads.
“This is the second time in recent months, Budworm has been linked to attacks against a US-based target,” Symantec wrote, warning companies against the APT’s potential change of tactics.
“A recent CISA report on multiple APT groups attacking a defense sector organization mentioned Budworm’s toolset. A resumption of attacks against US-based targets could signal a change in focus for the group.”
For indicators of compromise (IoC) and additional information about the latest Budworm campaign, the Symantec advisory is now publicly available at this link.
