The menace actor often known as Lotus Panda has been noticed concentrating on authorities, manufacturing, telecommunications, and media sectors within the Philippines, Vietnam, Hong Kong, and Taiwan with up to date variations of a identified backdoor known as Sagerunex.
“Lotus Blossom has been utilizing the Sagerunex backdoor since a minimum of 2016 and is more and more using long-term persistence command shells and growing new variants of the Sagerunex malware suite,” Cisco Talos researcher Joey Chen said in an evaluation printed final week.
Lotus Panda, also called Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, is a suspected Chinese language hacking crew that is lively since a minimum of 2009. The menace actor was first exposed by Symantec in June 2018.
In late 2022, Broadcom-owned Symantec detailed the menace actor’s assault on a digital certificates authority in addition to authorities and protection companies situated in several nations in Asia that concerned using backdoors like Hannotog and Sagerunex.
The precise preliminary entry vector used to breach the entities within the newest set of intrusions shouldn’t be identified, though it has a historical past of conducting spear-phishing and watering gap assaults. The unspecified assault pathway serves as a conduit for the Sagerunex implant, which is assessed to be an evolution of an older Billbug malware often known as Evora.
The exercise is noteworthy for using two new “beta” variants of the malware, which leverage authentic providers like Dropbox, X, and Zimbra as command-and-control (C2) tunnels to evade detection. They’ve been so-called because of the presence of debug strings within the supply code.
The backdoor is designed to collect goal host info, encrypt it, and exfiltrate the small print to a distant server beneath the attacker’s management. The Dropbox and X variations of Sagerunex are believed to have been put to make use of between 2018 and 2022, whereas the Zimbra model is alleged to have been round since 2019.
“The Zimbra webmail model of Sagerunex shouldn’t be solely designed to gather sufferer info and ship it to the Zimbra mailbox but in addition to permit the actor to make use of Zimbra mail content material to present orders and management the sufferer machine,” Chen mentioned.
“If there’s a authentic command order content material within the mailbox, the backdoor will obtain the content material and extract the command, in any other case the backdoor will delete the content material and watch for a authentic command.”
The outcomes of the command execution are subsequently packaged within the type of an RAR archive and connected to a draft e mail within the mailbox’s draft and trash folders.
Additionally deployed within the assaults are different instruments resembling a cookie stealer to reap Chrome browser credentials, an open-source proxy utility named Venom, a program to regulate privileges, and bespoke software program to compress and encrypt captured information.
Moreover, the menace actor has been noticed working instructions like web, tasklist, ipconfig, and netstat to carry out reconnaissance of the goal surroundings, along with finishing up checks to establish web entry.
“If web entry is restricted, then the actor has two methods: utilizing the goal’s proxy settings to determine a connection or utilizing the Venom proxy device to hyperlink the remoted machines to internet-accessible techniques,” Talos famous.
