Billbug targets government agencies in several Asian countries

State-sponsored actors from the Billbug Group (aka Lotus Blossom and Thrip) attempted to compromise a digital certificate authority in an Asian country during a campaign targeting multiple government agencies.

Symantec security researchers made the discovery and shared the results in a advisory released earlier today.

“In an activity documented by Symantec in 2019, we detailed how the group used a backdoor known as Hannotog and another backdoor known as Sagerunex. Both of these tools were also seen in this more recent activity. “, we read in the technical description.

The company added that all the victims of this recent Billbug campaign were based in various countries in Asia.

“Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of network machines were compromised by the attackers,” Symantec Explain.

The targeting of a certificate authority is notable, according to the security company. If attackers could compromise it and gain access to the certificates, they could use them to sign malware with a valid certificate and help it avoid detection on victim machines. It could also use compromised certificates to intercept HTTPS traffic.

“However, while this is a possible motivation for targeting a CA, Symantec has seen no evidence to suggest they were successful in compromising digital certificates,” the company wrote.

In terms of how the attacks were executed, Billbug was observed exploiting public-facing applications to gain initial access to victim networks and, in particular, dual-purpose tools. These included AdFind, WinRAR and Port Scanner, among others.

“Several files believed to be loaders for the Hannotog backdoor have been spotted on the victim machines,” Symantec wrote. “A backdoor was then deployed to the compromised system. This backdoor has multiple features.

Among its various capabilities, the backdoor could create a persistence service, shut down other services, and download encrypted data.

Symantec has confirmed that it has notified the CA to inform them of this activity. The notice comes two months after Interpol claimed to have busted an international cybercrime network which made around $47,000 by extorting dozens of victims in Asia.

Ashley C. Reynolds