A Chinese state-sponsored cyberespionage group tracked as Billbug has been observed targeting a certificate authority in Asia, along with other entities, Symantec reports.
Also tracked as Lotus Blossom and Thrip, Billbug is an advanced persistent threat (APT) actor mainly targeting entities in Southeast Asia and the United States. It’s believed to have been active since at least 2009.
Starting March 2022, the group has been targeting multiple entities in Asia, including a certificate authority, a government organization, and defense agencies.
“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic,” Symantec notes.
According to the security company, however, there is no evidence to suggest that the threat actor has managed to successfully compromise digital certificates.
As part of the observed attacks, the APT used multiple public tools and custom malware, including AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Stowaway Proxy Tool, Tracert, Winmail, and WinRAR, as well as the Hannotog and Sagerunex backdoors identified in 2019.
The Hannotog backdoor, Symantec explains, can update firewall settings, create a service for persistence, stop running services, upload encrypted data, harvest system information, and download files to the machine.
The Sagerunex backdoor, which uses multiple methods of communication with the command and control (C&C) server, supports commands to list running proxies, execute programs, steal files or drop files, and get configured file paths.
“While we do not see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor, indicating that data theft is the most likely motivation in this campaign. The victims in this campaign – government agencies and a certificate authority – also point to an espionage and data-theft motive,” Symantec notes.
The cybersecurity firm also points out that the threat actor likely targeted government victims for espionage purposes, and likely hit the certificate authority to steal legitimate digital certificates.
“This is potentially very dangerous, as if Billbug is able to sign its malware with a valid digital certificate it may be able to bypass security detections on victim machines. The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Symantec concludes.
Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags: