Chinese Hackers Leverage Reverse SSH Tool in New Wave of Attacks on Organizations

The Chinese hacker group known as Billbug, or Lotus Blossom, targeted high-profile organizations across Southeast Asia.

The attackers, who were previously documented by Symantec and later Cisco Talos, employed a variety of new custom tools, alongside novel techniques like DLL sideloading, to infiltrate and persist within their victims’ networks.

New Weapons in the Arsenal

Billbug’s arsenal included a range of malware specifically designed to evade detection and exfiltrate sensitive data.

Among these was a new variant of the Sagerunex backdoor (SHA256: 4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e), which was used to establish persistence by manipulating registry settings to run as a service.

This backdoor is known for its flexibility, allowing attackers to execute commands and steal data as intended.

A significant addition to their toolkit was a reverse SSH tool (SHA256: 461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced) capable of opening an SSH connection on port 22, thereby providing remote access from internal networks to the internet.

This tool was particularly useful for maintaining control over the compromised systems discreetly.

Advanced Credential Stealing

The hackers also deployed ChromeKatz and CredentialKatz to harvest credentials from the Chrome browser.

These tools, with multiple variants, were designed to extract both credentials and cookies, facilitating further network infiltration.

To bypass security measures, Billbug utilized DLL sideloading, a technique where they used legitimate software to load malicious DLLs.

An example includes the manipulation of a Trend Micro binary named tmdbglog.exe to sideload a malicious DLL called tmdglog.dll, which then executed encrypted contents from C:\Windows\temp\TmDebug.log.

Similarly, a Bitdefender binary named bds.exe was exploited to load a malicious DLL named log.dll, which attempted to run code hidden within winnt.config.

The campaign not only compromised a government ministry, an air traffic control organization, a telecoms operator, and a construction company in one Southeast Asian country but also staged intrusions into a news agency in another country and an air freight organization in a neighboring nation.

These attacks highlight the group’s broad strategic interests, targeting sectors vital for national security and economic stability.

For organizations looking to safeguard against such intrusions, regular updates to security protocols are essential.

Symantec has released a Protection Bulletin detailing the latest protection measures against this threat actor.

Additionally, monitoring for and blocking the Indicators of Compromise (IOCs) can help in identifying and thwarting potential attacks.

This sophisticated campaign underscores the evolving cyber espionage capabilities of state-linked actors and the persistent threat they pose to organizations worldwide, prompting a need for heightened vigilance and robust cybersecurity measures.

Indicators of Compromise (IOCs)

SHA256	Tool
4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e	Sagerunex Backdoor
2e1c25bf7e2ce2d554fca51291eaeb90c1b7c374410e7656a48af1c0afa34db4	ChromeKatz
6efb16aa4fd785f80914e110a4e78d3d430b18cbdd6ebd5e81f904dd58baae61	ChromeKatz
ea87d504aff24f7daf026008fa1043cb38077eccec9c15bbe24919fc413ec7c7	ChromeKatz
e3869a6b82e4cf54cc25c46f2324c4bd2411222fd19054d114e7ebd32ca32cd1	CredentialKatz
29d31cfc4746493730cda891cf88c84f4d2e5c630f61b861acc31f4904c5b16d	CredentialKatz
461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced	Reverse SSH Tool
b337a3b55e9f6d72e22fe55aba4105805bb0cf121087a3f6c79850705593d904	Date Changer
54f0eaf2c0a3f79c5f95ef5d0c4c9ff30a727ccd08575e97cce278577d106f6b	Loader
b75a161caab0a90ef5ce57b889534b5809af3ce2f566af79da9184eaa41135bd	Loader
becbfc26aef38e669907a5e454655dc9699085ca9a4e5f6ccd3fe12cde5e0594	Suspected Loader

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!