The Chinese hacker group, known as Billbug or Lotus Blossom, has been making headlines after targeting high-profile organizations across Southeast Asia. Their latest attack involved the use of new custom tools and advanced techniques such as DLL sideloading to infiltrate and persist within their victims’ networks.
One of the key highlights of this campaign was the introduction of a new variant of the Sagerunex backdoor, which was designed to establish persistence by manipulating registry settings to run as a service. This backdoor is known for its flexibility, allowing attackers to execute commands and steal data as intended.
Another key addition to Billbug’s toolkit was a reverse SSH tool capable of opening an SSH connection on port 22, providing remote access from internal networks to the internet. This tool proved to be particularly useful for maintaining control over compromised systems discreetly.
In terms of credential stealing, the hackers deployed ChromeKatz and CredentialKatz to harvest credentials from the Chrome browser. These tools were specifically designed to extract both credentials and cookies, facilitating further infiltration into the network. To bypass security measures, Billbug leveraged DLL sideloading techniques using legitimate software to load malicious DLLs.
The group’s targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company in one Southeast Asian country. Additionally, they staged intrusions into a news agency in another country and an air freight organization in a neighboring nation, highlighting their broad strategic interests in sectors vital for national security and economic stability.
Organizations looking to safeguard against such intrusions are advised to regularly update their security protocols. Symantec has released a Protection Bulletin detailing the latest protection measures against this threat actor, and monitoring for and blocking the Indicators of Compromise (IOCs) can help in identifying and thwarting potential attacks.
The sophisticated nature of this campaign underscores the evolving cyber espionage capabilities of state-linked actors and the persistent threat they pose to organizations worldwide. This serves as a reminder for the need for heightened vigilance and robust cybersecurity measures in today’s digital landscape.