FOCUS MODE
EXTRACT IOC
Threat Research

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Talos
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
Cisco Talos has identified multiple cyber espionage campaigns linked to the Lotus Blossom group, targeting sectors including government, manufacturing, telecommunications, and media. Utilizing Sagerunex and other tools, these attacks showcase advanced tactics for persistence and evasion, underscoring the group’s long-standing operations since 2012. Affected: government, manufacturing, telecommunications, media

Keypoints :

  • Multiple cyber espionage campaigns identified by Cisco Talos attributed to the Lotus Blossom group.
  • Target sectors include government, telecommunications, manufacturing, and media.
  • The Sagerunex backdoor and other hacking tools are employed for post-compromise activities.
  • Lotus Blossom has been active since at least 2012, showcasing advanced persistence techniques.
  • New variants of Sagerunex utilize third-party cloud services like Dropbox and Twitter for command and control functions.
  • Lotus Blossom employs legitimate platforms for evasion and communication with compromised systems.
  • Specific command lines used to install Sagerunex backdoor in the system registry.
  • Persistent strategies allow the actor to maintain control of compromised environments for extended periods.
  • Talos provides insights into the overall attack chain and technical analysis of Sagerunex variants.

MITRE Techniques :

  • Persistence (T1547.001) – Leveraging registry run keys to ensure Sagerunex backdoor runs as a service.
  • Command and Control (T1071) – Using Dropbox, Twitter, and Zimbra webmail for C2 tunneling.
  • Credential Dumping (T1003) – Utilizing cookie stealer tools to harvest Chrome browser credentials.
  • Remote File Copy (T1105) – Employing archiving tools to transfer files and folders from victims.
  • Network Service Scanning (T1046) – Executing commands like “netstat” and “ipconfig” for reconnaissance.

Indicator of Compromise :

  • [Domain] dropbox.com
  • [Domain] twitter.com
  • [Domain] zimbra.com
  • [IoC Type] MD5 0x2c6e8c0934684b9342261cceb772efc1
  • [File Path] C:UsersUSERDocumentsdtj32dj32.dll

Full Story: https://blog.talosintelligence.com/lotus-blossom-espionage-group/

Tags: PROXY, BROWSER, PASSWORD, BACKDOOR, RECONNAISSANCE, EMAIL, FIREWALL, TOOL