Actor threats known as Lotus panda It is observed in the field of government, production, telecommunications and media sectors in the Philippines, Vietnam, Hong Kong and Taiwan with updated versions of the famous back day called SAGERUNEX.
“Lotus Blossom uses Backdoor Sagerunex at least since 2016 and is increasingly using long -term shells and develops new SAGERUNEX malware,” Cisco Talos Joey Chen researcher – Note in an analysis published last week.
Lotus Panda, also known as Billbug, bronze Elgin, lotus Blasom, Spring -Tsmok and Trip, is a suspect of a Chinese hacking crew that has been in force since 2009. For the first time exposed From Symantec in June 2018.
At the end of 2022 Symantec owned by Broadcom minute Attack of the actor threat to the digital certificate, as well as state and defense agencies, located in different countries of Asia, which provided the use of hind premises such as Hannotog and Sagerunex.
The exact initial access vector used to violate business entities in the last select set is unknown, although it has a story-fitting and glazed holes. The indefinite attack path serves as a Sagerunex implant, which is evaluated as the evolution of the old malicious Billbug, known as EVO.
The activity deserves attention to the use of two new “beta” options that use legal services such as Dropbox, X and Zimbra as command and control (C2) to avoid detection. They were so-called because of the presence of lines debugging in the source code.
Backdoor is designed to collect target information about the host, encrypt it and the expressions of the details on the remote server under the control of the attacker. It is believed that Dropbox and X versions of Sagerunex were used between 2018 and 2022, while the Zimbra version is said to have existed since 2019.
“The Zimbra WebMail Sagerunex version is designed not only to collect the victims and send to Zimbra mailbox, but also allow the actor to use the Zimbra mail content to provide orders and driving the victim’s machine,” Chen said.
“If the mailbox has a legitimate command content of the commands, Backdoor downloads the content and receives a command, otherwise Backdoor will remove the content and waiting for a legitimate team.”
The results of the execution of the team are further packed in the form of the RAR archive and attached to the e -mail project in the mailbox and garbage folder project.
Also deployed in attacks, these are other tools such as the theft of cookies for collecting credentials about browser Chrome, called open source proxy JanodProgram adjusts and order software to compress and encrypt the captured data.
In addition, the actor threats are observed by teams such as Net, Tacklist, IPConfig and Netstat to perform the target environment’s exploration, except for checking the Internet access.
“If Internet access is limited, the actor has two strategies: the use of proxy settings to install a connection or use of the Venom Proxy tool to connect insulated machines with available online systems,” the talos said.
