1. Home
  2. Software
  3. SysUpdate

SysUpdate

SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[1]

ID: S0663
Associated Software: HyperSSL, Soldier, FOCUSFJORD
Type: MALWARE
Platforms: Windows, Linux
Version: 1.2
Created: 29 November 2021
Last Modified: 10 April 2024
Version Permalink

Associated Software Descriptions

Name Description
HyperSSL

[1]
Soldier

[1]
FOCUSFJORD

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

SysUpdate has used DNS TXT requests as for its C2 communication.[2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SysUpdate can use a Registry Run key to establish persistence.[1]
Enterprise T1543 .002 Create or Modify System Process: Systemd Service

SysUpdate can copy a script to the user owned /usr/lib/systemd/system/ directory with a symlink mapped to a root owned directory, /etc/ystem/system, in the unit configuration file's ExecStart directive to establish persistence and elevate privileges.[2]
.003 Create or Modify System Process: Windows Service

SysUpdate can create a service to establish persistence.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

SysUpdate has used Base64 to encode its C2 traffic.[2]

Enterprise T1005 Data from Local System

SysUpdate can collect information and files from a compromised host.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

SysUpdate can deobfuscate packed binaries in memory.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

SysUpdate has used DES to encrypt all C2 communications.[2]
Enterprise T1041 Exfiltration Over C2 Channel

SysUpdate has exfiltrated data over its C2 channel.[2]
Enterprise T1083 File and Directory Discovery

SysUpdate can search files on a compromised host.[1][2]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

SysUpdate has the ability to set file attributes to hidden.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

SysUpdate can load DLLs through vulnerable legitimate executables.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

SysUpdate can delete its configuration file from the targeted system.[1]
Enterprise T1105 Ingress Tool Transfer

SysUpdate has the ability to download files to a compromised host.[1][2]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

SysUpdate has named their unit configuration file similarly to other unit files residing in the same directory, /usr/lib/systemd/system/, to appear benign.[2]
Enterprise T1112 Modify Registry

SysUpdate can write its configuration file to Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.[1]
Enterprise T1106 Native API

SysUpdate can call the GetNetworkParams API as part of its C2 establishment process.[2]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

SysUpdate has been packed with VMProtect.[1][2]
.011 Obfuscated Files or Information: Fileless Storage

SysUpdate can store its encoded configuration file within Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.[1]
.013 Obfuscated Files or Information: Encrypted/Encoded File

SysUpdate can encrypt and encode its configuration file.[1]
Enterprise T1057 Process Discovery

SysUpdate can collect information about running processes.[2]
Enterprise T1113 Screen Capture

SysUpdate has the ability to capture screenshots.[1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

SysUpdate has been signed with stolen digital certificates.[2]
Enterprise T1082 System Information Discovery

SysUpdate can collect a system's architecture, operating system version, hostname, and drive information.[1][2]
Enterprise T1016 System Network Configuration Discovery

SysUpdate can collected the IP address and domain name of a compromised host.[2]

.001 Internet Connection Discovery

SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.[2]

Enterprise T1033 System Owner/User Discovery

SysUpdate can collect the username from a compromised host.[2]
Enterprise T1007 System Service Discovery

SysUpdate can collect a list of services on a victim machine.[2]
Enterprise T1569 .002 System Services: Service Execution

SysUpdate can manage services and processes.[1]
Enterprise T1047 Windows Management Instrumentation

SysUpdate can use WMI for execution on a compromised host.[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[1]

References

  1. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  1. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.