Insights, news, education and announcements from PolySwarm

SysUpdate Linux Variant

Written by The Hivemind | Mar 14, 2023 7:30:50 PM

Verticals Targeted: Gambling

Executive Summary

Trend Micro recently reported on a new Linux variant of Emissary Panda’s SysUpdate. SysUpdate is one of Emissary Panda’s custom tools. 

Key Takeaways

  • Emissary Panda is using a new Linux variant of SysUpdate.
  • The variant was seen in the wild as early as October 2022. 
  • The Linux variant operates similarly to the original Windows variant. 
  • Some of the malicious files were signed with a stolen certificate associated with Permyakov Ivan Yurievich IP, which distributes VMProtect.

What is the SysUpdate Linux Variant?

Trend Micro recently reported on a new Linux variant of Emissary Panda’s SysUpdate SysUpdate is one of Emissary Panda’s custom tools. The earliest known sample of the Linux variant was seen in the wild in October 2022. The Linux variant of SysUpdate is an ELF written in C++ and leverages the Asio library. The infection vector is currently unknown, but Trend Micro analysts assessed a chat application may have been used as a lure. Emissary Panda has used a similar tactic in the past. One of the targets compromised by this malware was a gambling company based in the Philippines. 

SysUpdate has several features including a service manager, a process manager, a file manager, screenshot grabbing, drive information retrieval, and command execution. The Linux variant uses a complex loading logic to help evade security measures. The code was also changed to make reverse engineering more difficult. SysUpdate collects and sends data to the C2, including a randomly generated GUID, hostname, username, current PID, kernel version and machine architecture, current file path, and the local IP address and port used to send the request. It also sends a Boolean value, with 0 being the value if it was launched with exactly one parameter and 1 being the value otherwise. 

Trend Micro noted some of the malicious files were signed with a stolen certificate associated with  Permyakov Ivan Yurievich IP, which distributes VMProtect. Multiple threat actors have abused this software in the past to obfuscate malware. 

Who is Emissary Panda?

Emissary Panda, also known as APT27, GreedyTaotie, Red Phoenix, Iron Tiger, Lucky Mouse, and Bronze Union, is a China nexus APT group that focuses on espionage campaigns targeting foreign embassies. They attempt to obtain data on the defense, technology, and government verticals.  

IOCs

PolySwarm has multiple samples of the SysUpdate Linux variant.

11f21d08f819dea21a09c602a4391142a5648f3e17a07a24d41418fcc17ea83f
3ac029e49ca71d948bfe1a7bc691967cf26cb5a731c7807d5be3cf6b579fa8ab
2ada1b48457c169cf3f80e248190374102615e2c89b70e574fba4ddc09b5fcd5
09a3231a300d794010c3f400617cd0b1b7aab7141735a2b8635a8362584e196d
C65c435737ac02132d9dfeb6ec1d7d903648f61ecdda8a85b4250f064cb4673f
43ae4e624413a587667027c03416d78b2515ac9081b8c9c967aadb1157f49e55
B92a9dcdcf0bec8cd1e8b701dbf7bd6f7e68473a9e711267a4af8e4be783bb1e
08dd5a9fdc387855fb5a23c167abec63b22272f66de099155036c5ce7e4deeb8
D950cc937f4df9ab0bad44513d23ea7ecdfae2b0de8ba351018de5fb5d7b1382
A8527a88fb9a48f043a0b762c7431fb52e601b72ff2fa0d35327e5cc72404edc
Ba1dabf7ff0a4bca8d7ff6e541b1930fc8328d240ba8a56ede96cc203daf6772
2027784b3f0e8e5f6add0aa42c6b9b6ea3e3e1af6373a465cb57b145d24373bf
76b5fa39d5b519e82e63466df1a6b2068cc9754343efbabf862924557c0fc213
Cc196ee155bf864071cbeec3ddcd3e2451a37d4296f53a024142c70193b9691d
C256b85747ad81e3f3f6c49ce496e77f024b302f921cb007a5f5375ac5b672d7 

You can use the following CLI command to search for all SysUpdate samples in our portal:
$ polyswarm link list -f SysUpdate

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports