The Lotus Blossom hacker group, also known as Spring Dragon, Billbug, and Thrip, has been identified by Cisco Talos as a persistent cyber espionage threat. Active since at least 2012, the group has been targeting government, manufacturing, telecommunications, and media sectors in regions such as the Philippines, Vietnam, Hong Kong, and Taiwan. Cisco Talos researchers have confidently attributed sophisticated attacks carried out by Lotus Blossom to their use of a custom backdoor family called Sagerunex, which has evolved into multiple variants in order to avoid detection.
The advanced capabilities of the group in conducting long-term espionage campaigns across various industries have been highlighted through their tactics. One of the notable techniques employed by Lotus Blossom is the exploitation of widely-used cloud services for their command-and-control (C2) communications. While earlier versions of the Sagerunex backdoor relied on Virtual Private Servers (VPS) for C2 operations, recent campaigns have seen a shift towards using legitimate services like Dropbox, Twitter, and Zimbra. By using these cloud platforms as C2 tunnels, the group is able to inject malware into compromised systems to communicate with their infrastructure, effectively blending malicious traffic with legitimate service usage to evade traditional security mechanisms.
The Sagerunex backdoor plays a crucial role in Lotus Blossom’s operations, being directly injected into the memory of compromised systems and running as a service through system registry modifications to ensure persistence. The malware’s versatility is demonstrated through its ability to conduct reconnaissance activities using commands like “netstat,” “ipconfig,” and “tasklist,” gathering detailed information about the compromised environment. Additionally, the group utilizes tools such as Chrome cookie stealers, Venom proxy tools, and archiving tools to aid in data exfiltration and maintaining persistent access to targeted networks, allowing them to operate covertly for extended periods during their espionage campaigns.
Based on consistent tactics, techniques, and procedures (TTPs), as well as common victim profiles, Cisco Talos has linked multiple campaigns to Lotus Blossom. Despite the evolution of Sagerunex into distinct variants, core functionalities like time-check logic for execution delays have remained consistent. The group’s adaptability and use of legitimate cloud services for malicious purposes pose a significant challenge for organizations seeking to detect and counter these advanced persistent threats. The ongoing success of Lotus Blossom underscores the importance of enhanced monitoring of cloud-based traffic and robust endpoint protection solutions to defend against evolving cyber threats.
In conclusion, the activities of the Lotus Blossom hacker group as identified by Cisco Talos highlight the persistent threat posed by cyber espionage in the modern digital landscape. Organizations must remain vigilant and proactive in enhancing their cybersecurity measures to counter such sophisticated adversaries and protect their sensitive data and networks.