The threat group known as Lucky Mouse has released a Linux version of its SysUpdate malware toolkit, enabling it to target Linux devices.
The updated artifact, which dates back to July 2022, has new features aimed at avoiding security software and resisting reverse engineering. Lucky Mouse, also known as APT27, Bronze Union, Emissary Panda, and Iron Tiger, has previously carried out campaigns that targeted supply chain compromises of legitimate apps, including Able Desktop and MiMi Chat.
They have also used the ProxyLogon vulnerabilities in Microsoft Exchange Server to deploy HyperBro. In the latest campaign, Lucky Mouse targeted a gambling company in the Philippines, with signs pointing to the use of installers that masquerade as messaging apps.
The Linux and Windows versions of SysUpdate are capable of managing processes, executing arbitrary commands, and communicating with C2 servers.
The Linux version was written in C++ and uses the Asio library to port file-handling functions, indicating that the group may be adding cross-platform support for the malware.
Additionally, Lucky Mouse has developed a custom Chrome password and cookie grabber that targets the gambling industry and the Southeast Asia region.
