Chinese APT Lotus Panda Targets Governments With New Sagerunex Backdoor Variants - Related to push, trojan, lotus, watering, governments

Chinese APT Lotus Panda Targets Governments With New Sagerunex Backdoor Variants

The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex.

"Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite," Cisco Talos researcher Joey Chen mentioned in an analysis .

Lotus Panda, also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, is a suspected Chinese hacking crew that's active since at least 2009. The threat actor was first exposed by Symantec in June 2018.

In late 2022, Broadcom-owned Symantec detailed the threat actor's attack on a digital certificate authority as well as government and defense agencies located in different countries in Asia that involved the use of backdoors like Hannotog and Sagerunex.

The exact initial access vector used to breach the entities in the latest set of intrusions is not known, although it has a history of conducting spear-phishing and watering hole attacks. The unspecified attack pathway serves as a conduit for the Sagerunex implant, which is assessed to be an evolution of an older Billbug malware known as Evora.

The activity is noteworthy for the use of two new "beta" variants of the malware, which leverage legitimate services like Dropbox, X, and Zimbra as command-and-control (C2) tunnels to evade detection. They have been so-called due to the presence of debug strings in the source code.

The backdoor is designed to gather target host information, encrypt it, and exfiltrate the details to a remote server under the attacker's control. The Dropbox and X versions of Sagerunex are believed to have been put to use between 2018 and 2022, while the Zimbra version is revealed to have been around since 2019.

"The Zimbra webmail version of Sagerunex is not only designed to collect victim information and send it to the Zimbra mailbox but also to allow the actor to use Zimbra mail content to give orders and control the victim machine," Chen introduced.

"If there is a legitimate command order content in the mailbox, the backdoor will download the content and extract the command, otherwise the backdoor will delete the content and wait for a legitimate command."

The results of the command execution are subsequently packaged in the form of an RAR archive and attached to a draft email in the mailbox's draft and trash folders.

Also deployed in the attacks are other tools such as a cookie stealer to harvest Chrome browser credentials, an open-source proxy utility named Venom, a program to adjust privileges, and bespoke software to compress and encrypt captured data.

Furthermore, the threat actor has been observed running commands like net, tasklist, ipconfig, and netstat to perform reconnaissance of the target environment, in addition to carrying out checks to ascertain internet access.

"If internet access is restricted, then the actor has two strategies: using the target's proxy settings to establish a connection or using the Venom proxy tool to link the isolated machines to internet-accessible systems," Talos noted.

Betrüger setzen auf eine Paypal-Funktion namens.

Scammers are impersonating the BianLian ransomware gang in fake ransom notes sent to US companies via snail mail through the United States Postal Serv......

Microsoft hat Windows 365 Disaster Recovery Plus vorgestellt. Zum jetzigen Zeitpunkt liegt das Disaster-Recovery-Tool als lizenzpflichtiges Add-on für......

Watering Hole Attacks Push ScanBox Keylogger

Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.

A China-based threat actor has ramped up efforts to distribute the ScanBox reconnaissance framework to victims that include domestic Australian organizations and offshore energy firms in the South China Sea. The bait used by the advanced threat group (APT) is targeted messages that supposedly link back to Australian news websites.

The cyber-espionage campaigns are believed to have launched April 2022 through mid-June 2022, ’s Threat Research Team and PwC’s Threat Intelligence team.

The threat actor, , is believed to be the China-based APT TA423, also known as Red Ladon. “Proofpoint assesses with moderate confidence that this activity may be attributable to the threat actor TA423 / Red Ladon, which multiple reports assess to operate out of Hainan Island, China,” .

The APT is most in recent times known for a recent indictment. “A 2021 indictment by the US Department of Justice assessed that TA423 / Red Ladon provides long-running support to the Hainan Province Ministry of State Security (MSS),” researchers showcased.

MSS is the civilian intelligence, security and cyber police agency for the People’s Republic of China. It is believed responsible for counter-intelligence, foreign intelligence, political security and tied to industrial and cyber espionage efforts by China.

The campaign leverages the ScanBox framework. ScanBox is a customizable and multifunctional Javascript-based framework used by adversaries to conducting covert reconnaissance.

ScanBox has been used by adversaries for nearly a decade and is noteworthy because criminals can use the tool to conduct counter intelligence without having to plant malware on a targets system.

“ScanBox is particularly dangerous as it doesn’t require malware to be successfully deployed to disk in order to steal information – the keylogging functionality simply requires the JavaScript code to be executed by a web browser,” .

In lieu of malware, attackers can use ScanBox in conjunction with watering hole attacks. Adversaries load the malicious JavaScript onto a compromised website where the ScanBox acts as a keylogger snagging all of a user’s typed activity on the infected watering hole website.

TA423’s attacks began with phishing emails, with such titles as “Sick Leave,” “User Research” and “Request Cooperation.” Often, the emails purported to come from an employee of the “Australian Morning News,” a fictional organization. The employee implored targets to visit their “humble news website,” australianmorningnews[.]com.

The link directed targets to a web page with content copied from actual news sites, like the BBC and Sky News. In the process, it also delivered the ScanBox malware framework.

ScanBox keylogger data culled from waterholes is part of a multi-stage attack, giving attackers insight into the potential targets that will help them launch future attacks against them. This technique is often called browser fingerprinting.

The primary, initial script insights a list of information about the target computer, including the operating system, language and version of Adobe Flash installed. ScanBox additionally runs a check for browser extensions, plugins and components such WebRTC.

“The module implements WebRTC, a free and open-source technology supported on all major browsers, which allows web browsers and mobile applications to perform real-time communication (RTC) over application programming interfaces (APIs). This allows ScanBox to connect to a set of pre-configured targets,” researchers explain.

Adversaries can then leverage a technology called STUN (Session Traversal Utilities for NAT). This is a standardized set of methods, including a network protocol, that allows interactive communications (including real-time voice, video, and messaging applications) to traverse network address translator (NAT) gateways, researchers explain.

“STUN is supported by the WebRTC protocol. Through a third-party STUN server located on the Internet, it allows hosts to discover the presence of a NAT, and to discover the mapped IP address and port number that the NAT has allocated for the application’s User Datagram Protocol (UDP) flows to remote hosts. ScanBox implements NAT traversal using STUN servers as part of Interactive Connectivity Establishment (ICE), a peer-to-peer communication method used for clients to communicate as directly as possible, avoiding having to communicate through NATs, firewalls, or other solutions,” .

“This means that the ScanBox module can set up ICE communications to STUN servers, and communicate with victim machines even if they are behind NAT,” they explain.

The threat actors “support the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, explained in a statement, “This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia.”.

The group has, in the past, expanded well beyond Australasia. , 2021, the group has “stolen trade secrets and confidential business information” from victims in “the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom. Targeted industries included, among others, aviation, defense, education, government, health care, biopharmaceutical and maritime.”.

Despite the DoJ indictment, analysts “have not observed a distinct disruption of operational tempo” from TA423, and they “collectively expect TA423 / Red Ladon to continue pursuing its intelligence-gathering and espionage mission.”.

Look at any article with advice about best practices for cybersecurity, and about third or fourth on that list, you’ll find something about applying p......

We’ve all heard a million times: growing demand for robust cybersecurity in the face of rising cyber threats is undeniable. Globally small and medium-......

Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud serv......

New TgToxic Banking Trojan Variant Evolves with Anti-Analysis Upgrades

Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic (aka ToxicPanda), indicating that the threat actors behind it are continuously making changes in response to public reporting.

"The modifications seen in the TgToxic payloads reflect the actors' ongoing surveillance of open source intelligence and demonstrate their commitment to enhancing the malware's capabilities to improve security measures and keep researchers at bay," Intel 471 mentioned in a study .

TgToxic was first documented by Trend Micro in early 2023, describing it as a banking trojan capable of stealing credentials and funds from crypto wallets as well as bank and finance apps. It has been detected in the wild since at least July 2022, mainly focusing on mobile consumers in Taiwan, Thailand, and Indonesia.

Then in November 2024, Italian online fraud prevention firm Cleafy detailed an updated variant with wide-ranging data-gathering functions, while also expanding its operational scope to include Italy, Portugal, Hong Kong, Spain, and Peru. The malware is assessed to be the work of a Chinese-speaking threat actor.

Intel 471's latest analysis has found that the malware is distributed via dropper APK files likely via SMS messages or phishing websites. However, the exact delivery mechanism remains unknown.

Some of the notable improvements include improved emulator detection capabilities and updates to the command-and-control (C2) URL generation mechanism, underscoring ongoing efforts to sidestep analysis efforts.

"The malware conducts a thorough evaluation of the device's hardware and system capabilities to detect emulation," Intel 471 noted. "The malware examines a set of device properties including brand, model, manufacturer and fingerprint values to identify discrepancies that are typical of emulated systems."

Another significant change is the shift from hard-coded C2 domains embedded within the malware's configuration to using forums such as the Atlassian community developer forum to create bogus profiles that include an encrypted string pointing to the actual C2 server.

The TgToxic APK is designed to randomly select one of the community forum URLs provided in the configuration, which serves as a dead drop resolver for the C2 domain.

The technique offers several advantages, foremost being that it makes it easier for threat actors to change C2 servers by simply updating the community user profile to point to the new C2 domain without having to issue any updates to the malware itself.

"This method considerably extends the operational lifespan of malware samples, keeping them functional as long as the user profiles on these forums remain active," Intel 471 revealed.

Subsequent iterations of TgToxic discovered in December 2024 go a step further, relying on a domain generation algorithm (DGA) to create new domain names for use as C2 servers. This makes the malware more resilient to disruption efforts as the DGA can be used to create several domain names, allowing the attackers to switch to a new domain even if some are taken down.

"TgToxic stands out as a highly sophisticated Android banking trojan due to its advanced anti-analysis techniques, including obfuscation, payload encryption, and anti-emulation mechanisms that evade detection by security tools," Approov CEO Ted Miracco unveiled in a statement.

"Its use of dynamic command-and-control (C2) strategies, such as domain generation algorithms (DGA), and its automation capabilities enable it to hijack user interfaces, steal credentials, and perform unauthorized transactions with stealth and resilience against countermeasures."

Following the publication of the story, a Google spokesperson shared the below statement with The Hacker News -.

Based on our current detection, no apps containing this malware are found on Google Play. Android consumers are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn consumers or block apps known to exhibit malicious behavior, even when those apps come from findings outside of Play.

(The story was updated after publication to include a response from Google.).

Gemeinsam mit über zwanzig weiteren zivilgesellschaftlichen Organisationen richtet der Chaos Computer Club (CCC) einen Appell für eine digitale Brandm......

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsear......

Der IT-Security-Fachmann Tim Philipp Schäfers hat beim Bundesamt für Migration und Flüchtlinge (BAMF) eine schwerwiegende Sicherheitslücke entdeckt, d......