The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex.
“Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite,” Cisco Talos researcher Joey Chen said in an analysis published last week.
Lotus Panda, also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, is a suspected Chinese hacking crew that’s active since at least 2009. The threat actor was first exposed by Symantec in June 2018.
In late 2022, Broadcom-owned Symantec detailed the threat actor’s attack on a digital certificate authority as well as government and defense agencies located in different countries in Asia that involved the use of backdoors like Hannotog and Sagerunex.
The exact initial access vector used to breach the entities in the latest set of intrusions is not known, although it has a history of conducting spear-phishing and watering hole attacks. The unspecified attack pathway serves as a conduit for the Sagerunex implant, which is assessed to be an evolution of an older Billbug malware known as Evora.
The activity is noteworthy for the use of two new “beta” variants of the malware, which leverage legitimate services like Dropbox, X, and Zimbra as command-and-control (C2) tunnels to evade detection. They have been so-called due to the presence of debug strings in the source code.
The backdoor is designed to gather target host information, encrypt it, and exfiltrate the details to a remote server under the attacker’s control. The Dropbox and X versions of Sagerunex are believed to have been put to use between 2018 and 2022, while the Zimbra version is said to have been around since 2019.
“The Zimbra webmail version of Sagerunex is not only designed to collect victim information and send it to the Zimbra mailbox but also to allow the actor to use Zimbra mail content to give orders and control the victim machine,” Chen said.
“If there is a legitimate command order content in the mailbox, the backdoor will download the content and extract the command, otherwise the backdoor will delete the content and wait for a legitimate command.”
The results of the command execution are subsequently packaged in the form of an RAR archive and attached to a draft email in the mailbox’s draft and trash folders.
Also deployed in the attacks are other tools such as a cookie stealer to harvest Chrome browser credentials, an open-source proxy utility named Venom, a program to adjust privileges, and bespoke software to compress and encrypt captured data.
Furthermore, the threat actor has been observed running commands like net, tasklist, ipconfig, and netstat to perform reconnaissance of the target environment, in addition to carrying out checks to ascertain internet access.
“If internet access is restricted, then the actor has two strategies: using the target’s proxy settings to establish a connection or using the Venom proxy tool to link the isolated machines to internet-accessible systems,” Talos noted.
