Sagerunex Malware Variants
The notorious threat actor known as the Lotus Panda has been observed launching cyberattacks on government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong and Taiwan. These attacks involve updated versions of the Sagerunex backdoor, a malware strain that the Lotus Panda has been leveraging since at least 2016. The APT (Advanced Persistent Threat) group continues to refine its tactics, employing long-term persistent command shells and developing new variants of its malware arsenal.
Table of Contents
A Well-Known Name in Cyber Espionage
The Lotus Panda, also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, is a suspected Chinese hacking collective that has been active since at least 2009. Cybersecurity researchers first publicly exposed its operations in June 2018, linking the group to a series of cyber espionage campaigns across Asia.
A History of High-Profile Intrusions
In late 2022, security experts detailed Lotus Panda's attack on a digital certificate authority, as well as government and defense agencies across Asia. These operations involved the deployment of sophisticated backdoors such as Hannotog and Sagerunex, underscoring the group's ability to compromise critical institutions.
Unclear Entry Points but Familiar Attack Methods
The precise method used by the Lotus Panda to breach its latest targets remains unknown. However, the group has a history of employing watering hole and spear-phishing attacks to gain initial access. Once inside, the attackers deploy the Sagerunex backdoor, which is believed to be an evolution of an older malware variant known as Evora.
Evasive Tactics: Exploiting Legitimate Services
Recent activity linked to the Lotus Panda has revealed two new 'beta' variants of Sagerunex, identified by debug strings within their source code. These versions cleverly use legitimate services such as Dropbox, X (better known as Twitter), and Zimbra as Command-and-Control (C2) channels, making detection more challenging.
Advanced Backdoor Capabilities
The Sagerunex backdoor is designed to collect detailed information about infected machines, encrypt it, and exfiltrate it to a remote server controlled by the attackers. The Dropbox and X variants were reportedly in use between 2018 and 2022, while the Zimbra version has been operational since 2019.
Zimbra Webmail Variant: A Covert Control Hub
The Zimbra webmail variant of Sagerunex goes beyond simple data collection. It enables attackers to send commands via Zimbra mail content, effectively controlling compromised machines. If a legitimate command is detected in an email, the backdoor extracts and executes it. Otherwise, the malware deletes the email and waits for further instructions. The results of executed commands are packaged as RAR archives and stored in the mailbox's draft and trash folders.
A Full Arsenal: Additional Tools in Play
The Lotus Panda doesn't rely solely on Sagerunex. The group deploys additional tools, including:
- A cookie stealer to harvest Chrome browser credentials.
- Venom, an open-source proxy utility.
- A privilege escalation tool to gain higher system access.
- Custom software for compressing and encrypting collected data.
Network Reconnaissance and Bypassing Restrictions
The attackers have been observed running reconnaissance commands such as net, tasklist, ipconfig, and netstat to assess the target environment. Additionally, they check for Internet connectivity, adjusting their approach based on network restrictions. If access is limited, they attempt to:
- Use the victim's proxy settings to establish a connection.
- Deploy the Venom proxy tool to link isolated machines to internet-accessible systems.
An Ongoing Threat
Lotus Panda's continued evolution and sophisticated tactics indicate that it remains a significant cyber threat. Its ability to adapt, leverage legitimate services for stealth, and execute long-term espionage operations make it a formidable adversary for organizations in the Asia-Pacific region and beyond.
