Go to listing page

Chinese APT Targets Government and Defense Agencies in Asia

Chinese APT Targets Government and Defense Agencies in Asia
A Chinese state-sponsored actor tracked as Billbug (aka Thrip, Lotus Blossom, Spring Dragon) has been using the same custom backdoors with minimal changes over the past years. The group has launched a new campaign, ongoing since at least March.

The campaign targets

  • According to Symantec researchers, Billbug targeted a digital certificate authority, as well as government agencies and defense organizations in several countries in Asia in the latest campaign.
  • It targeted the certificate authority company possibly to steal legitimate digital certificates and deploy signed malware to make detection more difficult.

Campaign tools

Billbug is assumed to be gaining initial access to the target networks by exploiting known vulnerabilities in public-facing apps.
  • It was seen deploying a Go-based multi-level proxy tool named Stowaway. In addition, it is using two previously used custom backdoors, named Hannotog and Sagerunex.
  • Further, it utilizes dual-use tools present on the target system such as AdFind, Winmail, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, and Port Scanner.
  • It combined these tools with publicly available utilities, living-off-the-land tools, and custom malware to operate stealthily.

Key capabilities of tools

  • Stowaway can be used to proxy external traffic to the intranet through multiple nodes, break through intranet access restrictions, construct a tree-like node network, easily implement management functions, and bypass network access restrictions.
  • Hannotog is capable of changing firewall settings to enable all traffic, establish persistence on the compromised machine, upload encrypted data, run commands, and download files to the device. It is capable of dropping Sagerunex as well.
  • Sagerunex supports multiple forms of communication with its C2 server via HTTPS to send a list of active proxies and files, and it can receive payloads and shell commands from the operators.

Billbug is utilizing these customized tools with publicly available utilities to avoid suspicious log traces or raising alarms on security tools and to make detection and attribution efforts harder.

Conclusion

Targeting a certificate authority is worrisome as malware with a valid digital certificate provides threat actors the ability to bypass threat detection systems on victim machines and compromise multiple victims at once. By expanding its potential targets with these reusable tools, it can carry out sustained and wide-ranging campaigns in near future.
Cyware Publisher

Publisher

Cyware