Chinese Lotus Blossom Hackers leverages Windows Management Instrumentation for Network Movement

The Chinese Advanced Persistent Threat (APT) group known as Lotus Blossom, also referred to as Billbug, Thrip, or Spring Dragon, has intensified its cyber-espionage operations by employing advanced techniques, including the use of Windows Management Instrumentation (WMI) for lateral movement within targeted networks.

This group, active for over a decade, has recently deployed new variants of its Sagerunex backdoor malware to infiltrate government and critical infrastructure sectors across the Asia-Pacific (APAC) region.

Advanced Tactics and Stealthy Persistence

Lotus Blossom’s recent campaigns demonstrate a shift in tactics, techniques, and procedures (TTPs), leveraging legitimate tools and services to evade detection.

After gaining initial access through methods such as spear-phishing, watering hole attacks, or exploiting vulnerabilities in public-facing applications, the group establishes persistence by embedding the Sagerunex backdoor into the Windows Registry.

This backdoor is configured to mimic legitimate system services, allowing it to evade traditional security measures.

The attackers use WMI a native Windows feature to move laterally across compromised networks.

This enables them to execute commands remotely without deploying additional malware, reducing their footprint and making detection more challenging.

Reconnaissance commands such as tasklist, ipconfig, and netstat are employed to gather system details and assess internet connectivity.

If direct connectivity is unavailable, they deploy a customized proxy tool called Venom to relay traffic through infected hosts.

Exploitation of Legitimate Platforms for Command-and-Control

The Sagerunex backdoor variants further enhance stealth by utilizing legitimate platforms like Dropbox, Twitter (X), and Zimbra for command-and-control (C2) communications.

For example, stolen data is encrypted and uploaded to Dropbox as .rar files, while Twitter-based variants extract commands embedded in status updates.

Zimbra-based versions exfiltrate data through draft emails or inbox content.

These tactics allow malicious activity to blend seamlessly with normal network traffic, complicating detection efforts.

To avoid detection, the attackers employ obfuscation techniques such as VMProtect to conceal the malware’s behavior.

Additionally, they use an open-source Chrome cookie stealer to extract sensitive credentials stored in web browsers.

According to the Report, these credentials enable further lateral movement and unauthorized access to critical systems.

The Lotus Blossom group’s ability to adapt its methods underscores the need for robust cybersecurity measures.

Organizations are advised to deploy advanced Endpoint Detection and Response (EDR) solutions capable of identifying suspicious behaviors such as unauthorized registry modifications or encrypted communications with third-party platforms.

Network segmentation and a Zero Trust security model can also limit lateral movement in the event of a breach.

By simulating sophisticated attack scenarios using Breach and Attack Simulation (BAS) platforms, security teams can identify vulnerabilities and strengthen defenses against evolving threats like those posed by Lotus Blossom.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!