SysUpdate

China-linked APT group Bronze Union is known to use a wide array of hacking tools – both public and private. Usually, high-profile hacking groups tend to stick to using private utilities in their operations, but it would appear that Bronze Union are not reluctant when it comes to using public tools too. However, in this post, we will take a closer look at one of the private RATs that the group used in 2018 – the SysUpdate Remote Access Trojan.

Cybersecurity experts suspect that the SysUpdate RAT might have been used in attacks against entities in Mongolia and Turkey, but it is likely that one of the group’s primary RATs has been involved in past campaigns. It would appear that this particular tool is limited in terms of features – in fact, it only serves the sole purpose of introducing a second-stage payload to the compromised host. Of course, this does not make it any less threatening since it excels at bypassing security tools and gaining persistence to ensure that it will be able to get to work as soon as it is commanded to initiate the second payload.

The attackers are likely to use several methods to propagate the corrupted file – it has been found loaded in Rich Text Format (RTF) files, which is likely to mean that phishing emails were used in the attack. In another campaign, the SysUpdate tool might have been installed manually by taking advantage of compromised login credentials.

Although SysUpdate may sound limited in terms of capabilities severely, it is important to note that using it as a first stage payload is a clever trick by the attackers. This way, if their actions are spotted, the researchers working on the issue will not learn much about their plan since the sole purpose of SysUpdate is to receive commands that are meant to introduce the primary, second payload to the compromised host. Thanks to this, SysUpdate can leave the cybersecurity teams clueless about the goal of the attack, and the tools the attackers plan to use.