The SysUpdate RAT (Remote Access Trojan) is a part of the very wide arsenal of hacking tools used by the infamous Chinese hacking group called Bronze Union. Due to the consistency of their activities and high-profile targets, the Bronze Union group have been given the APT (Advanced Persistent Threat) title. While the SysUpdate RAT is one of the private hacking tools, which the Bronze Union APT employs, they are known for often using public utilities in their attacks too. This is not a common practice among high-profile APTs, but it does not stop the Bronze Union.
The SysUpdate Trojan has been confirmed to be involved in campaigns targeting organizations based in Turkey and Mongolia. It is likely that these are not the only cases where the Bronze Union group has employed the SysUpdate RAT, and it has been used in some previous attacks too. The main goal of the SysUpdate RAT is to bypass the security measures of the infiltrated system and then drop a secondary stage threatening payload. Since this is the main purpose of the SysUpdate Trojan, the hacking group has not bothered to pack it with many features.
The infection vector used by the Bronze Union hacking group is likely to be phishing spam email campaigns containing infected attachments in the shape of RTF (Rich Text Format) files. Malware experts speculate that this may not be the only propagation method employed by the APT. It is likely that they also have used collected login credentials to load the SysUpdate RAT on the chosen host manually.
The fact that the Bronze Union group have decided to have a first and second payload is a pretty cunning technique on their part. The purpose of this is to confuse malware researchers who may manage to catch up to the attackers and see the SysUpdate in action. However, what will they find out? SysUpdate reveals nothing about the threat that the attackers are planning to use so that cybersecurity experts would have no idea whether Bronze Union planned to use a contemporary RAT, an infostealer, a backdoor or another popular cyber-threat. SysUpdate's simple nature and purpose are to keep the infrastructure and plans of the Bronze Union group a secret in case they are caught on time.