Ethical Hacking News
Chinese Advanced Persistent Threat (APT) group, known as Lotus Panda or Billbug, has been observed targeting various government sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex. The threat actor, suspected to be Chinese in origin, has been active since at least 2009 and was first exposed by Symantec in June 2018.
The Chinese Advanced Persistent Threat (APT) group known as Lotus Panda or Billbug has been targeting various government sectors in multiple countries. Lotus Panda uses updated versions of the Sagerunex backdoor, which gather target host information, encrypt it, and exfiltrate details to a remote server. The latest campaign involves two new "beta" variants of Sagerunex, leveraging legitimate services like Dropbox, X, and Zimbra as command-and-control tunnels to evade detection. These variants are designed to collect victim information, send it to a remote server, and use legitimate mail content to give orders and control the victim machine. The attack pathway used by Lotus Panda remains unknown, but spear-phishing and watering hole attacks are believed to be part of its initial access vector. Organizations should implement robust security measures, conduct regular vulnerability assessments, and stay up-to-date with threat intelligence to mitigate the risk posed by groups like Lotus Panda.
Chinese Advanced Persistent Threat (APT) group, known as Lotus Panda or Billbug, has been observed targeting various government sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex. The threat actor, suspected to be Chinese in origin, has been active since at least 2009 and was first exposed by Symantec in June 2018.
According to Cisco Talos researcher Joey Chen, Lotus Panda has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite. This latest campaign involves the deployment of two new "beta" variants of the malware, which leverage legitimate services like Dropbox, X, and Zimbra as command-and-control (C2) tunnels to evade detection.
The Sagerunex backdoor is designed to gather target host information, encrypt it, and exfiltrate the details to a remote server under the attacker's control. The Dropbox and X versions of Sagerunex are believed to have been put to use between 2018 and 2022, while the Zimbra version is said to have been around since 2019.
The most notable feature of the Zimbra webmail version of Sagerunex is its ability to collect victim information and send it to a remote server under the attacker's control. However, what makes this variant particularly noteworthy is its capacity to use legitimate Zimbra mail content to give orders and control the victim machine.
According to Chen, if there is a legitimate command order content in the mailbox, the backdoor will download the content and extract the command; otherwise, it will delete the content and wait for a legitimate command. The results of the command execution are subsequently packaged in the form of an RAR archive and attached to a draft email in the mailbox's draft and trash folders.
In addition to the Sagerunex backdoor, other tools such as a cookie stealer, an open-source proxy utility named Venom, a program to adjust privileges, and bespoke software to compress and encrypt captured data have been found deployed in the attacks. Furthermore, the threat actor has been observed running commands like net, tasklist, ipconfig, and netstat to perform reconnaissance of the target environment.
The attack pathway used by Lotus Panda remains unknown, although it is believed that the threat actor conducts spear-phishing and watering hole attacks as part of its initial access vector. The use of two new "beta" variants of the malware has been noted as a noteworthy aspect of this latest campaign, with these variants leveraging legitimate services to evade detection.
The Sagerunex implant is assessed to be an evolution of an older Billbug malware known as Evora, and it is believed that the threat actor has been conducting similar attacks in the past. The exact initial access vector used by Lotus Panda remains unknown, although it is clear that the threat actor employs a range of tactics and techniques to breach its targets.
The deployment of these new variants of Sagerunex highlights the ongoing threat posed by Chinese APT groups like Lotus Panda, which have been active for years and continue to evolve their tactics and techniques. The use of legitimate services as command-and-control tunnels is particularly noteworthy, demonstrating a level of sophistication and adaptability on the part of the attackers.
As such, it is essential that organizations take steps to protect themselves against these types of attacks. This can include implementing robust security measures, conducting regular vulnerability assessments, and staying up-to-date with the latest threat intelligence.
In conclusion, the use of Sagerunex backdoor variants by Chinese APT group Lotus Panda highlights a growing concern for government and private sector organizations alike. As the threat landscape continues to evolve, it is essential that organizations prioritize their security posture and take proactive steps to mitigate the risk posed by groups like Lotus Panda.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-APT-Lotus-Panda-Unleashes-New-Wave-of-Sagerunex-Backdoor-Variants-on-Government-Targets-ehn.shtml
https://thehackernews.com/2025/03/chinese-apt-lotus-panda-targets.html
Published: Wed Mar 5 06:24:24 2025 by llama3.2 3B Q4_K_M
