New Campaigns from Chinese Cyberespionage Group Lotus Blossom

Category: Threat Actor Activity | Industries: Defense, Government, Technology | Level: Tactical | Source: Symantec

Symantec researchers observed new activity from Chinese cyberespionage group, Lotus Blossom (aka Billbug, Thrip, and Spring Dragon) running campaigns in Asian countries targeting certificate authorities, government entities, and defense organizations. An attack against a certificate authority is of notable concern due to potential widespread malware infection. Operating since at least 2009, Lotus Blossom conducts stealthy campaigns their latest running since March 2022, which used custom backdoor malware, living-off-the-land binaries, and some open-source tools. Lotus Blossom's initial access vector has not been observed however, it is speculated the group has exploited public-facing applications. Common tools used include AdFind, Winmail, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, and Port Scanner. These tools are commonly used in workstations thus enabling the group to maintain a low profile in compromised environments. The backdoors used by Lotus Blossom are named Hannotog and Sagerunex. Hannotog is capable of modifying firewall rules, creating a service for persistence, stopping Windows services, running commands using CMD, and downloading additional payloads to the victim host. While Sagerunex when dropped by Hannotog will inject itself into a running process such as “explorer.exe” and initiate C2 (command and control) communication with the attacker's server. In campaigns currently observed by Symantec for Lotus Blossom, the group hasn't initiated any data theft activity, however, data collection and exfiltration are determined as the group's primary motivation.

Anvilogic Use Cases:

• Utility Archive Data
• Certutil Obfuscate/Encode Files
• Windows Service Created

‍