Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE distributed via themes related to the Indian banking sector.
“The backdoor communicates with a dynamic DNS-based command and control server via HTTPS and supports remote shell access, file manipulation, and session management, indicating a continued set of capabilities focused on espionage rather than financial purposes,” Acronis researchers Subhajeet Sinha and Santiago Pontiroli wrote in their analysis.
Use of LOTUSLITE has previously been observed in spear-phishing attacks targeting US government and policy actors using decoys related to geopolitical developments between the US and Venezuela. This activity is believed with medium confidence to be from the Chinese nation-state group tracked as Mustang Panda.
The latest activity reported by Acronis involves the deployment of an evolved version of LOTUSLITE, showing “incremental improvements” over previous versions, indicating that the malware is being actively maintained and improved by its operators.
The departure from previous waves of attacks is related to a geographic reorientation, focusing primarily on India’s banking sector, while keeping the rest of the operational plan largely intact. The starting point of the attack is a compiled HTML (CHM) file with an embedded malicious payload (a legitimate executable and a malicious DLL) and an HTML page with a pop-up prompting the user to click “Yes.”
This step is designed to silently retrieve and execute JavaScript malware from a remote server (‘cosmosmusic’).[.]com”)’s primary role is to extract and execute malware contained within CHM files using DLL sideloading. The DLL (“dnx.onecore.dll”) is an updated version of LOTUSLITE that communicates with the domain “editor.gleeze”.[.]com” to receive commands and extract the desired data.
Further analysis of this campaign revealed similar artifacts designed to target South Korean organizations, specifically individuals within the policy and diplomatic community.
“We believe this group targeted specific organizations within the South Korean and US foreign policy communities, particularly those involved in Korean Peninsula issues, North Korea policy discussions, and Indo-Pacific security dialogue,” Acronis said.
“What stands out is that the group’s targets have spread from US government agencies with geopolitical lures, to the Indian banking sector through implants with references to HDFC Bank and pop-ups masquerading as legitimate banking software, and now to South Korean and US policy circles by impersonating prominent figures in Korean Peninsula diplomacy delivered via spoofed Gmail accounts and Google Drive staging.”
Source link
