Researchers from Cisco Talos have discovered multiple cyber espionage campaigns that target various sectors, including government, manufacturing, telecommunications, and media, delivering Sagerunex and other hacking tools for post-compromise activities. Talos attributes these attacks to the threat actor, Lotus Blossom, which has been conducting cyber espionage operations since at least 2012 and remains active today. It confidently assesses that Lotus Blossom, also known as Spring Dragon, Billbug, or Thrip, is responsible for these campaigns.
“Based on our examination of the tactics, techniques, and procedures (TTPs) utilized in these campaigns, alongside the deployment of Sagerunex, a backdoor family used exclusively by Lotus Blossom, we attribute these campaigns to the Lotus Blossom group with high confidence,” Joey Chen, a Cisco Talos threat intelligence researcher, wrote in a recent blog post. “We also observed Lotus Blossom gain persistence using specific commands to install their Sagerunex backdoor within the system registry and configuring it to run as a service on infected endpoints.”
Chen added that Lotus Blossom has also developed new variants of Sagerunex that not only use traditional command and control (C2) servers but also use legitimate, third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source webmail as C2 tunnels.
“Our assessment is based on the TTPs, backdoors, and victim profiles associated with each activity,” Talos detailed. “Our observations indicate that Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite. The operation appears to have achieved significant success, targeting organizations in sectors such as government, manufacturing, telecommunications, and media in areas including the Philippines, Vietnam, Hong Kong, and Taiwan.”
Talos has identified strong evidence to attribute these campaigns to the Lotus Blossom group, primarily due to the Sagerunex backdoor within these operations. Sagerunex is a remote access tool (RAT) assessed to be an evolution of an older Billbug tool known as Evora. Sagerunex is designed to be a dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.
“We also observed the Sagerunex backdoor employ various network connection strategies to ensure it remains under the actor’s control,” Chen detailed. “Despite the development of three distinct variants, the foundational structures and core functionalities of the backdoor remain consistent. These consistent elements enable us to confidently categorize all identified variant backdoors as part of the Sagerunex family.”
Moreover, he added that the consistent patterns in victimology and the TTPs identified across these campaigns strongly support our attribution to the Lotus Blossom espionage group. “This consistency, seen in the selection of targets and the methods employed, aligns with the known operational characteristics of Lotus Blossom, providing compelling evidence that these campaigns are orchestrated by this specific threat actor.”
Lotus Blossom frequently utilizes the Impacket tool to execute remote processes and commands within the victim’s environment, consistent with known Lotus Blossom TTPs. Once they gain access to a target, their operations typically unfold over multiple stages. Each stage is carefully executed, indicating a well-planned strategy aimed at achieving long-term objectives. This multi-stage approach enables them to maintain a presence in the network for extended periods, often going undetected for several months.
Talos’ exploration began with a detailed examination of a particular Sagerunex backdoor variant that exhibits a high degree of code similarity and workflow resemblance to those described in other vendors’ blog posts. This analysis will help establish connections and highlight the shared characteristics observed across different Sagerunex variants.
“Next, we will shift our focus to another intriguing variant of the Sagerunex backdoor, which utilizes Dropbox as its C2 server. This unconventional choice of a third-party cloud service illustrates the threat actor’s adaptability and efforts to evade detection,” Chen noted. “Additionally, we have identified another variant of the Sagerunex backdoor that leverages the Zimbra open-source webmail service for its C2 operations. This finding further underscores the diverse strategies Lotus Blossom employs to maintain control and persist within compromised environments.”
He added that Talos examined the loader code similarity to identify numerous variants of the Sagerunex backdoor. “By analyzing the loader and the behavior of the Sagerunex backdoor, we can classify the malware into the Sagerunex family.”
Talos also discovered another variant of the Sagerunex backdoor that uses Dropbox and Twitter API as C2 services. After bypassing the initial checking steps, this backdoor variant retrieves the necessary Dropbox or Twitter tokens to successfully bring the backdoor online.
Once the backdoor sends a beacon message and receives a response ID, it evaluates the ID number to determine subsequent actions. If the ID is less than 16, the function will return, prompting the backdoor to send another beacon message and wait for a new ID. If the ID is between 16 and 32, the backdoor proceeds to collect host information and execute paired backdoor command functions.
After gathering the information and executing the commands, the backdoor encrypts and archives collected data, then transmits it back to Dropbox or Twitter. When the ID received equals 39, the backdoor retrieves data from Dropbox files or Twitter status updates to confirm the status of the backdoor service.
Last month, researchers from Cisco Talos were monitoring reports of significant intrusion activities aimed at several U.S. telecommunications companies. Their investigation revealed that the initial access to Cisco devices was achieved by the threat actor acquiring legitimate login credentials from victims. The threat actor then showed their capability to remain in the targeted environments, spanning equipment from various vendors, for prolonged durations, with access maintained in one case for more than three years.
