The Lotus Blossom hacker group, often known as Spring Dragon, Billbug, or Thrip, has been recognized leveraging official cloud providers like Dropbox, Twitter, and Zimbra for command-and-control (C2) communications of their cyber espionage campaigns.
Cisco Talos researchers attribute these refined operations to the group with excessive confidence, citing the usage of a customized backdoor household known as Sagerunex.
Energetic since at the least 2012, Lotus Blossom continues to focus on sectors reminiscent of authorities, manufacturing, telecommunications, and media throughout areas together with the Philippines, Vietnam, Hong Kong, and Taiwan.
Multi-Variant Malware and Evasion Techniques
The Sagerunex backdoor has developed into a number of variants designed to evade detection and keep persistence in compromised environments.
Earlier variations relied on conventional Digital Non-public Servers (VPS) for C2 operations. Nonetheless, latest campaigns exhibit a shift towards third-party cloud providers.
By using Dropbox APIs, Twitter tokens, and Zimbra webmail APIs as C2 tunnels, the group successfully blends malicious site visitors with official service utilization, complicating detection efforts.
For instance:
- Dropbox and Twitter Variants: These variants use APIs to ascertain C2 channels. After preliminary checks, they retrieve tokens to speak with the C2 infrastructure. Collected knowledge is encrypted and uploaded to Dropbox or transmitted by way of Twitter standing updates.
- Zimbra Variant: This model leverages Zimbra’s webmail service for each knowledge exfiltration and command execution. Host data is encrypted into information hooked up to draft emails in compromised accounts.
These strategies spotlight the group’s adaptability in exploiting extensively used platforms to bypass conventional safety mechanisms.
Persistence and Reconnaissance
Lotus Blossom employs superior strategies to keep up long-term entry inside focused networks.
The Sagerunex backdoor is injected immediately into reminiscence and configured to run as a service via system registry modifications.
Instructions reminiscent of “netstat,” “ipconfig,” and “tasklist” are executed for reconnaissance, gathering detailed details about person accounts, processes, and community configurations.
Moreover, the group makes use of instruments like:
- Chrome Cookie Stealers: To reap browser credentials.
- Venom Proxy Instruments: Personalized for relaying connections.
- Archiving Instruments: For compressing and encrypting stolen information.
- Port Relay Instruments: To facilitate exterior communication from remoted techniques.
These techniques allow the group to function undetected for prolonged durations whereas conducting espionage actions.
Cisco Talos’ evaluation hyperlinks these campaigns to Lotus Blossom based mostly on constant techniques, strategies, and procedures (TTPs), in addition to sufferer profiles.
The Sagerunex backdoor household stays central to their operations. Regardless of growing distinct variants over time, core functionalities reminiscent of time-check logic for execution delays stay constant throughout all variations.
The usage of official cloud providers for malicious functions underscores the challenges organizations face in distinguishing between benign and dangerous exercise.
This improvement requires enhanced monitoring of cloud-based site visitors and sturdy endpoint safety options to mitigate dangers posed by superior persistent threats like Lotus Blossom.
Accumulate Menace Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Attempt at no cost
