The cyber threat group known as Lotus Panda has been actively targeting government, manufacturing, telecommunications, and media sectors across the Philippines, Vietnam, Hong Kong, and Taiwan. They are doing so by deploying updated versions of a well-known backdoor, Sagerunex.
According to Cisco Talos researcher Joey Chen, “Lotus Blossom has been utilizing the Sagerunex backdoor since at least 2016, increasingly incorporating long-term command shells for persistence and developing new variants This analysis, which pertains to the Sagerunex malware suite, was distributed last week
Lotus Panda, which is also referred to as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, is suspected to be a Chinese hacking group that has been active since at least 2009. The group was first exposed by Symantec in June 2018.
In late 2022, Broadcom-owned Symantec provided details of the group’s attack on a digital certificate authority, as well as other attacks against government and defense agencies across various Asian nations. These attacks involved backdoors such as Hannotog and Sagerunex.
The exact initial access vector used in the latest intrusions remains unknown. However, Lotus Panda has a known history of executing spear-phishing campaigns and watering hole attacks. These pathways facilitate the deployment of the Sagerunex implant, which is considered to be an evolution of an earlier malware variant known as Billbug or Evora.
An important aspect of this attack is the deployment of two new ‘beta’ variants of the malware. These variants take advantage of legitimate services, such as Dropbox, X, and Zimbra, to act as command-and-control (C2) channels, making it harder for security measures to detect the threat. These variants are referred to as “beta” because of debug strings in the malware’s source code.
The Sagerunex backdoor is designed to collect information from compromised systems, encrypt it, and then exfiltrate the data to a remote server controlled by the attackers. Versions of the malware using Dropbox and X services were active between 2018 and 2022, while the Zimbra variant has been in use since 2019.
Chen explained, “The Zimbra webmail version of Sagerunex not only gathers victim data and sends it to a Zimbra mailbox but also allows the attackers to issue commands to control the victim’s system.” If legitimate commands are found within the victim’s mailbox, the backdoor will download and execute them. Otherwise, it deletes the content and waits for further instructions.
The results of executed commands are then compressed into an RAR archive and stored in the draft and trash folders of the Zimbra mailbox, awaiting further action.
In addition to the Sagerunex backdoor, the attackers have been seen deploying other tools such as a cookie stealer to capture credentials from Chrome browsers, an open-source proxy tool called Venom, software to elevate privileges, and custom programs to compress and encrypt data that is stolen from the victim’s systems.
The threat actor has also been observed using commands like net, tasklist, ipconfig, and netstat for reconnaissance, gathering data on the victim’s environment. Additionally, they perform checks to determine whether the target system has internet access.
Talos noted, “If internet access is restricted, the attacker employs two strategies: either using the victim’s proxy settings to connect to external systems or using the Venom proxy tool to link isolated machines to systems that have internet access.”
