The Lotus Blossom, also known as Lotus Panda, is a sophisticated Chinese APT group involved in cyber espionage for over a decade. They have recently enhanced their tactics by deploying new Sagerunex backdoor variants that utilize third-party cloud services and social media for command-and-control activities. This article examines their tactics, techniques, and procedures, detailing their operational framework along with the challenges we face against such persistent threats. Affected: Cybersecurity, various sectors targeted by APT activities
Keypoints :
- Lotus Blossom is a well-established APT group involved in cyber espionage for over ten years.
- They have adopted new Sagerunex backdoor variants demonstrating advanced operational capabilities.
- Utilization of third-party cloud services and social media platforms for command-and-control communications.
- Incorporation of social engineering tactics such as spear-phishing and watering hole attacks.
- Use of various tools including RAR archivers, Chrome cookie stealers, and custom proxy tools like Venom.
- Persistence achieved via Windows Registry modifications to run Sagerunex backdoor as a service.
- Stealthy data exfiltration techniques leveraging legitimate services such as Dropbox and Twitter.
- A need for organizations to deploy advanced EDR solutions and test security controls continuously.
MITRE Techniques :
- Initial Access (TA0001): Utilizes spear-phishing (T1566.001) and watering hole attacks (T1189) for initial network breaches.
- Exploitation of Public-Facing Applications (T1190): Targets vulnerabilities in internet-exposed systems to gain access.
- Credential Abuse (T1078): Leverages legitimate compromised credentials during infiltration.
- Command and Scripting Interpreter (T1059): Engages native command-line tools for execution and reconnaissance.
- Registry Run Keys/Startup Folder (T1547.001): Registers Sagerunex for persistence in Windows services.
- Access Token Manipulation (T1134.002): Adjusts process privileges for escalation within the target system.
- Obfuscated Files or Information (T1027): Applies code obfuscation techniques using VMProtect for evasion.
- Credentials from Web Browsers (T1555.003): Employs Chrome cookie stealers to gather sensitive information.
- System Information Discovery (T1082): Gathers detailed system information using reconnaissance commands.
- Remote Services (T1021): Moves laterally using tools like Impacket for remote command execution.
- Archive via Utility (T1560.001): Utilizes custom archiving tools to compress and encrypt sensitive files.
- Application Layer Protocol: Web Protocols (T1071.001): Abuses cloud services for command-and-control activities.
- Encrypted Channel (T1573): Implements encryption for secure communications with C2 infrastructure.
- Proxy: External Proxy (T1090.002): Uses customized Venom proxy to manage communications with external servers.
- Exfiltration Over C2 Channel (T1041): Transmits collected information through existing C2 pathways, including cloud services.
Indicator of Compromise :
- [Domain] dropbox.com
- [Domain] twitter.com
- [Domain] zimbra.com
- [Hash] c:windowstapisrv.dll
- [Hash] c:windowsswprv.dll
Full Story: https://www.picussecurity.com/resource/blog/lotus-blossom