The Chinese hacker group known as Billbug, or Lotus Blossom, targeted high-profile organizations across Southeast Asia.
The attackers, who were previously documented by Symantec and later Cisco Talos, employed a variety of new custom tools, alongside novel techniques like DLL sideloading, to infiltrate and persist within their victims’ networks.
New Weapons in the Arsenal
Billbug’s arsenal included a range of malware specifically designed to evade detection and exfiltrate sensitive data.
.png
)
Among these was a new variant of the Sagerunex backdoor (SHA256: 4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e), which was used to establish persistence by manipulating registry settings to run as a service.
This backdoor is known for its flexibility, allowing attackers to execute commands and steal data as intended.
A significant addition to their toolkit was a reverse SSH tool (SHA256: 461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced) capable of opening an SSH connection on port 22, thereby providing remote access from internal networks to the internet.
This tool was particularly useful for maintaining control over the compromised systems discreetly.
Advanced Credential Stealing
The hackers also deployed ChromeKatz and CredentialKatz to harvest credentials from the Chrome browser.
These tools, with multiple variants, were designed to extract both credentials and cookies, facilitating further network infiltration.
To bypass security measures, Billbug utilized DLL sideloading, a technique where they used legitimate software to load malicious DLLs.
An example includes the manipulation of a Trend Micro binary named tmdbglog.exe to sideload a malicious DLL called tmdglog.dll, which then executed encrypted contents from C:\Windows\temp\TmDebug.log.
Similarly, a Bitdefender binary named bds.exe was exploited to load a malicious DLL named log.dll, which attempted to run code hidden within winnt.config.
The campaign not only compromised a government ministry, an air traffic control organization, a telecoms operator, and a construction company in one Southeast Asian country but also staged intrusions into a news agency in another country and an air freight organization in a neighboring nation.
These attacks highlight the group’s broad strategic interests, targeting sectors vital for national security and economic stability.
For organizations looking to safeguard against such intrusions, regular updates to security protocols are essential.
Symantec has released a Protection Bulletin detailing the latest protection measures against this threat actor.
Additionally, monitoring for and blocking the Indicators of Compromise (IOCs) can help in identifying and thwarting potential attacks.
This sophisticated campaign underscores the evolving cyber espionage capabilities of state-linked actors and the persistent threat they pose to organizations worldwide, prompting a need for heightened vigilance and robust cybersecurity measures.
Indicators of Compromise (IOCs)
| SHA256 | Tool |
|---|---|
| 4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e | Sagerunex Backdoor |
| 2e1c25bf7e2ce2d554fca51291eaeb90c1b7c374410e7656a48af1c0afa34db4 | ChromeKatz |
| 6efb16aa4fd785f80914e110a4e78d3d430b18cbdd6ebd5e81f904dd58baae61 | ChromeKatz |
| ea87d504aff24f7daf026008fa1043cb38077eccec9c15bbe24919fc413ec7c7 | ChromeKatz |
| e3869a6b82e4cf54cc25c46f2324c4bd2411222fd19054d114e7ebd32ca32cd1 | CredentialKatz |
| 29d31cfc4746493730cda891cf88c84f4d2e5c630f61b861acc31f4904c5b16d | CredentialKatz |
| 461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced | Reverse SSH Tool |
| b337a3b55e9f6d72e22fe55aba4105805bb0cf121087a3f6c79850705593d904 | Date Changer |
| 54f0eaf2c0a3f79c5f95ef5d0c4c9ff30a727ccd08575e97cce278577d106f6b | Loader |
| b75a161caab0a90ef5ce57b889534b5809af3ce2f566af79da9184eaa41135bd | Loader |
| becbfc26aef38e669907a5e454655dc9699085ca9a4e5f6ccd3fe12cde5e0594 | Suspected Loader |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
