The advanced persistent threat (APT) group known as Iron Tiger has expanded its capabilities with a Linux version of the SysUpdate malware toolkit, which includes new features designed to evade security software and resist reverse engineering.
Iron Tiger is also known for its use of malware such as HyperBro, PlugX, and a Linux backdoor called rshell. The group has been behind several campaigns over the past two years that have embraced supply chain compromises to obtain remote access to compromised systems.
In the latest campaign, the group has targeted a gambling company in the Philippines, among other targets, with the exact infection vector used in the attack remaining unclear. Signs suggest that installers masquerading as messaging apps like Youdu are used as lures to activate the attack sequence.
The Windows version of SysUpdate comes with features to manage processes, take screenshots, carry out file operations, and execute arbitrary commands, and is capable of communicating with command-and-control (C2) servers via DNS Tunneling.
The development marks the first time a threat actor has weaponized a sideloading vulnerability in a Wazuh signed executable to deploy SysUpdate on Windows machines.
