Threat Research

Billbug: Intrusion Campaign Against Southeast Asia Continues

Symantec

The Billbug espionage group has targeted various organizations within Southeast Asia from August 2024 to February 2025, employing custom tools for cyber intrusions. Key targets included a government ministry, an air traffic control organization, and more, across multiple sectors. The campaign reflects a continuation of their previous activities and employs sophisticated techniques like DLL sideloading to deliver malicious payloads. Affected: government, telecoms, construction, media, air traffic control

Keypoints :

  • The Billbug espionage group compromised multiple organizations in Southeast Asia.
  • Targets included government ministries, telecom operators, construction companies, and media agencies.
  • The campaign spanned from August 2024 to February 2025.
  • Attackers used custom tools, including loaders and credential stealers.
  • DLL sideloading was a primary technique used for delivering malware.
  • The Sagerunex backdoor was a notable tool used in these intrusions.
  • Some tools developed for credential theft targeted Chrome browser users.
  • Indicators of compromise (IOCs) linked to their activities have been documented.

MITRE Techniques :

  • TA0001: Initial Access – The attackers utilized spear-phishing and legitimate software to deploy malicious payloads.
  • TA0002: Execution – DLL sideloading was used to execute malicious code through legitimate executables such as tmdbglog.exe and bds.exe.
  • TA0003: Persistence – A variant of the Sagerunex backdoor was deployed to create registry modifications that ensured persistent access.
  • TA0004: Credential Access – Tools like ChromeKatz and CredentialKatz were used to steal credentials from web browsers.
  • TA0005: Remote Access – A reverse SSH tool was employed to maintain access by listening for connections on Port 22.

Indicator of Compromise :

  • [SHA256] f9036b967aaadf51fe0a7017c87086c7839be73efabb234e2c21885a6840343e
  • [SHA256] b75a161caab0a90ef5ce57b889534b5809af3ce2f566af79da9184eaa41135bd
  • [SHA256] 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924
  • [SHA256] 4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e
  • [SHA256] b337a3b55e9f6d72e22fe55aba4105805bb0cf121087a3f6c79850705593d904

Full Story: https://symantec-enterprise-blogs.security.com/threat-intelligence/billbug-china-espionage