During a digital forensics and incident response (DFIR) engagement, LevelBlue researchers discovered a new SysUpdate malware variant that targets Linux systems. The sample uses advanced encryption for its command-and-control (C2) communications while posing as a genuine system service. In order to facilitate quicker incident response, the team reverse-engineered the malware and created emulation tools to decrypt its traffic.

Insights from Malware Analysis The malware is a C++-written packed ELF64 binary that is dynamically linked without section headers and shielded by an unidentified obfuscated packer. By using the Linux "id" command, it mimics a system service and, if it is started without specific arguments, outputs user information.

A Variant of Linux SysUpdate Is Found (Source: levelblue) Dynamic analysis and endpoint detection metrics connecting it to SysUpdate, which was previously linked to APT27 (Iron Tiger), confirm that network activity involves encrypted C2 across multiple protocols. LevelBlue researchers used the Unicorn Engine with Rust bindings for emulation, GDB for debugging, and Binary Ninja for decompilation (viewing the High-Level Intermediate Language, or HLIL). Syscall tracing focused on network I/O operations, while static analysis identified dense bitwise operations and cryptographic constants.

A Variant of Linux SysUpdate Is Found (Source: levelblue) A high-level wrapper called "generate_key" (calling "generate_key_internal" with 64 iterations), "xor_and_UNK_1" (managing encrypt/decrypt flags, 8-byte aligned buffers, and XOR with keys), and "i_am_clearly_encryption_UNK" (containing S-box-like data and constants like 0xf0f0f0f) were among the key functions.

Overcoming C2 Encryption Researchers used Unicorn Engine to simulate malware operations in order to get around the unidentified algorithm, maintaining the original memory mappings for accuracy. They mapped heap (0x1393000), stack (0x7ffffffde000), unknown data (0x4fd000), and code segments for key generation; these were then filled with extracted machine code bytes, dumped GDB memory, and the plaintext key "!2#4Wx62." A 132-byte key saved as "gend_key" was produced by carefully setting registers such as RDI (generated key pointer) and RSI (encryption key) before executing from 0x40cc10 to 0x40cc58.bin'.

A Variant of Linux SysUpdate Is Found (Source: levelblue) This was expanded by the decryption emulator, which added buffers for the generated key, output, and encrypted input (from intercepted traffic).

With a decrypt flag (RSI=0), data length in RDX (such as 168 bytes), and pointers in R8/R9, it mimicked "xor_and_UNK_1" and the inner routine from 0x40cfe2 to 0x40d02a. Execution successfully decrypted C2 payloads, demonstrating that the tooling is interchangeable for different variants. Level Blue claims that this technique turns adversary code against itself by enabling quick decryption during live incidents without complete RE.

The Linux evolution of SysUpdate draws attention to cross-platform threats posed by organizations such as Iron Tiger. Organizations should keep an eye out for encrypted network flows and unusual ELF binaries that imitate services.