Full Report
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
Analysis Summary
# Threat Actor: Lotus Blossom
## Attribution & Identity
Attributed by Cisco Talos with high confidence to the threat actor known as Lotus Blossom.
Known Aliases: Spring Dragon, Billbug, Thrip.
## Activity Summary
Lotus Blossom has been actively conducting cyber espionage operations since at least 2012. Recent campaigns involve targeting multiple industries to deliver the Sagerunex backdoor for post-compromise activities. The actor leverages multi-campaign, multi-variant backdoor operations and has developed new variants of Sagerunex to use legitimate, third-party cloud services for C2 communications, moving away from traditional VPS infrastructure.
## Tactics, Techniques & Procedures
- Malware persistence achieved by installing the Sagerunex backdoor within the system registry and configuring it to run as a service.
- Using the Sagerunex RAT, which is an evolution of the older Billbug tool known as Evora.
- Sagerunex is designed as a dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.
- Leveraging third-party cloud services (Dropbox, Twitter, Zimbra open-source webmail) as C2 tunnels to evade detection.
- Employing various network connection strategies to maintain C2 control.
- Harvesting Chrome browser credentials using a Pyinstaller bundle of a Chrome cookie stealer (open-source tool from GitHub).
- Customizing and utilizing the Venom proxy tool (written in Go) with hardcoded destination IP addresses.
- Using an "Adjust privilege tool" to retrieve another process token and adjust privilege for the launch process.
- Employing a customized, compressed, and encrypted "Archiving tool" to steal and exfiltrate files or entire folders (e.g., Chrome and Firefox browser cookie folders).
- **MITRE ATT&CK IDs (Inferred from tools/TTPs, specific IDs not provided in text):** Implied use of techniques related to Persistence (T1547/T1543), Command and Control (T1105), Credential Access (T1003/T1555), and Exfiltration (T1041).
## Targeting
- **Sectors:** Government, Manufacturing, Telecommunications, and Media.
- **Geography:** The Philippines, Vietnam, Hong Kong, and Taiwan.
- **Victims:** Organizations within the telecommunications, media, government, and manufacturing sectors.
## Tools & Infrastructure
- **Malware families used:** Sagerunex (backdoor family used exclusively by Lotus Blossom; evolution of an older Billbug tool called Evora).
- **Infrastructure (C2, domains, IPs):**
- Previously used Virtual Private Servers (VPS) for C2.
- Currently utilizing legitimate, third-party cloud services for C2 tunnels: Dropbox, Twitter, and Zimbra open-source webmail.
- Customized Venom proxy tool utilized with hardcoded destination IP addresses.
- **Detections:**
- Snort SIDs: 64511, 64510, 64509.
- ClamAV Detections: Win.Backdoor.Sagerunex-10041845-0, Win.Tool.Mtrain-10041846-0, Win.Tool.Ntfsdump-10041854-0, Win.Backdoor.Sagerunex-10041857-0.
## Implications
Lotus Blossom is a highly persistent and evolving espionage group that has demonstrated success in maintaining long-term access. The actor's shift towards leveraging trusted cloud infrastructure for command and control significantly increases the difficulty of network monitoring and detection by blending malicious communications with legitimate traffic patterns.
## Mitigations
- Implement multi-factor authentication (MFA) for users (e.g., using Cisco Duo).
- Utilize Web Security technologies capable of inspecting traffic to known cloud providers to identify anomalous usage patterns.
- Maintain updated security tools (Snort Rule Sets, ClamAV signatures).
- Monitor for registry modifications indicative of service creation for persistence paths related to Sagerunex.
- Endpoint security solutions should focus on detecting DLL injection and in-memory execution of unknown processes/code.