The threat actor known as the Lotuspanda has been observed to target the government, manufacturing, telecommunications and media sectors of the Philippines, Vietnam, Hong Kong and Taiwan.
“Lotus Blossom has been using Sagerunex backdoors since at least 2016, increasingly adopting a long-term sustainable command shell and developing new variants of the Sagerunex malware suite,” Cisco Talos researcher Joey Chen said in an analysis published last week.
Also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon and Trip, Lotus Panda is suspected of being a Chinese hacking crew that has been active since at least 2009. The threat actor was first exposed by Symantec in June 2018.
In late 2022, Symantec, owned by Broadcom, detailed attacks by threat actors against digital certificate authorities and governments and defense agencies in various countries in Asia, including the use of backgrounds such as Hannotog and Sagerunex.
The exact initial access vectors used to violate the entities of the latest intrusion set are unknown, but they have a history of carrying out spear fishing and watering holes attacks. An unspecified attack pathway serves as a conduit for the Sagerunex implant. This is considered an evolution of the old Bilbag malware known as Evora.
This activity is worth noting that it uses two new “beta” variants of malware to avoid detection by leveraging legitimate services such as Dropbox, X, and Zimbra using legal services such as Command and Control (C2) tunnels. They are what you call the things because there is a debug string in the source code.
The backdoor is designed to collect, encrypt, and remove details to remote servers under attacker control. The Dropbox and X versions of Sagerunex are believed to have been in use between 2018 and 2022, but the Zimbra version is said to have been around since 2019.
“The Zimbra webmail version of Sagerunex is not only designed to collect victim information and send it to a Zimbra mailbox, but it is also designed to allow actors to use Zimbra mailing content to give orders and control the victim machine,” Chen said.
“If your mailbox has legitimate command order content, the backdoor downloads the content and extracts the command. Otherwise, the backdoor will delete the content and wait for the legitimate command.”
The results of the command execution are then packaged in the form of RAR archives and attached to the draft folder in the mailbox and the draft email in the trash can.
Also deployed in the attack are Cookie Stealer, which harvests Chrome browser credentials, an open source proxy utility named Venom, a program that tunes privileges, and other tools such as bespoke software to compress and encrypt captured data.
Additionally, it has been observed that threat actors perform reconnaissance of the target environment in addition to running commands such as Net, Task List, IPConfig, NetStat and other to perform checks to verify internet access.
“If internet access is restricted, actors have two strategies: establish a connection using the target’s proxy settings, or use the Venom proxy tool to link the isolated machine to an Internet-accessible system,” Talos said.
Source link
