1. Home
  2. Software
  3. SysUpdate

SysUpdate

SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[1]

ID: S0663
Associated Software: HyperSSL, Soldier, FOCUSFJORD
Type: MALWARE
Platforms: Windows, Linux
Version: 1.2
Created: 29 November 2021
Last Modified: 10 April 2024

Associated Software Descriptions

Name Description
HyperSSL

[1]
Soldier

[1]
FOCUSFJORD

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

SysUpdate can use WMI for execution on a compromised host.[1]
Enterprise T1005 从本地系统获取数据

SysUpdate can collect information and files from a compromised host.[2]
Enterprise T1036 .004 伪装: Masquerade Task or Service

SysUpdate has named their unit configuration file similarly to other unit files residing in the same directory, /usr/lib/systemd/system/, to appear benign.[2]
Enterprise T1112 修改注册表

SysUpdate can write its configuration file to Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.[1]
Enterprise T1543 .002 创建或修改系统进程: Systemd Service

SysUpdate can copy a script to the user owned /usr/lib/systemd/system/ directory with a symlink mapped to a root owned directory, /etc/ystem/system, in the unit configuration file's ExecStart directive to establish persistence and elevate privileges.[2]
.003 创建或修改系统进程: Windows Service

SysUpdate can create a service to establish persistence.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

SysUpdate has used DES to encrypt all C2 communications.[2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

SysUpdate can load DLLs through vulnerable legitimate executables.[1]
Enterprise T1140 反混淆/解码文件或信息

SysUpdate can deobfuscate packed binaries in memory.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

SysUpdate can use a Registry Run key to establish persistence.[1]
Enterprise T1113 屏幕捕获

SysUpdate has the ability to capture screenshots.[1]
Enterprise T1071 .004 应用层协议: DNS

SysUpdate has used DNS TXT requests as for its C2 communication.[2]
Enterprise T1132 .001 数据编码: Standard Encoding

SysUpdate has used Base64 to encode its C2 traffic.[2]

Enterprise T1083 文件和目录发现

SysUpdate can search files on a compromised host.[1][2]
Enterprise T1106 本机API

SysUpdate can call the GetNetworkParams API as part of its C2 establishment process.[2]
Enterprise T1027 .002 混淆文件或信息: Software Packing

SysUpdate has been packed with VMProtect.[1][2]
.011 混淆文件或信息: Fileless Storage

SysUpdate can store its encoded configuration file within Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.[1]
.013 混淆文件或信息: Encrypted/Encoded File

SysUpdate can encrypt and encode its configuration file.[1]
Enterprise T1070 .004 移除指标: File Deletion

SysUpdate can delete its configuration file from the targeted system.[1]
Enterprise T1082 系统信息发现

SysUpdate can collect a system's architecture, operating system version, hostname, and drive information.[1][2]
Enterprise T1033 系统所有者/用户发现

SysUpdate can collect the username from a compromised host.[2]
Enterprise T1569 .002 系统服务: Service Execution

SysUpdate can manage services and processes.[1]
Enterprise T1007 系统服务发现

SysUpdate can collect a list of services on a victim machine.[2]
Enterprise T1016 系统网络配置发现

SysUpdate can collected the IP address and domain name of a compromised host.[2]

.001 Internet Connection Discovery

SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.[2]

Enterprise T1105 输入工具传输

SysUpdate has the ability to download files to a compromised host.[1][2]
Enterprise T1057 进程发现

SysUpdate can collect information about running processes.[2]
Enterprise T1041 通过C2信道渗出

SysUpdate has exfiltrated data over its C2 channel.[2]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

SysUpdate has the ability to set file attributes to hidden.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

SysUpdate has been signed with stolen digital certificates.[2]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[1]

References

  1. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  1. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.