Chinese Group Billbug Hackers Target a Certificate Authority in Asia

Since March 2022, the Chinese cyber-espionage group Billbug (aka Thrip, Lotus Blossom, Spring Dragon) has targeted a certificate authority, government agencies, and defence organizations in several Asian countries at once, according to Symantec.

The Billbug hack group is believed to have existed since 2009 and it mainly attacks organizations in Southeast Asia and the United States, and specializes in espionage and data theft.

Let me remind you that we also wrote that Chinese Hack Group Aoqin Dragon Has Been Quietly Attacking Companies Since 2013, and also that Three Chinese APT Groups Attack Major Asian Telecommunications Companies.

Symantec says the Billbug group, which they’ve been monitoring since 2018, is now targeting an unnamed CA (it’s speculated to be in Taiwan – Chinese cyberspies are especially fond of the island), which would allow hackers to deploy signed malware, making it harder detection and decryption of HTTPS traffic.

At the same time, the company has no evidence that the attackers still managed to compromise digital certificates. According to the results of observations, the relevant authorities have already been notified about the events.

Analysts write that they were unable to determine how Billbug gains initial access to target networks, but it is assumed that this occurs through the exploitation of known vulnerabilities in various applications accessible via the Internet.

As in previous campaigns, hackers use tools already present on the target system, public utilities, as well as custom malware:

  1. AdFind;
  2. Winmail;
  3. WinRAR;
  4. Ping;
  5. Tracert;
  6. route;
  7. NBTscan;
  8. Certutil;
  9. Port Scanner.

These tools help attackers imitate innocuous daily activities, avoid leaving traces in logs, and avoid the attention of defense mechanisms and products.

The researchers say that the new attacks were linked to Billbug, as the attackers used two custom backdoors, already known to experts on past group attacks, as part of this campaign: Hannotog and Sagerunex.

Hannotog’s features include: changing firewall settings to allow any traffic, creating a persistent presence on the system, downloading encrypted data, executing CMD commands, and downloading files to the victim’s device.

Chinese band Billbug
Hannotog changes firewall settings

Sagerunex, in turn, is loaded into the Hannotog system and injected into the explorer.exe process. It then writes the logs to a temporary local file encrypted with AES (256-bit). The configuration and state of the backdoor is stored locally and encrypted using RC4, and the keys for both programs are hardcoded in the malware itself.

The ability of this group to target multiple victims at once indicates that Billbug remains an experienced and well-resourced operator capable of sustained and large-scale campaigns. Billbug does not seem to be bothered by the possibility that this activity will eventually be associated with them, as they continue to reuse tools that have previously been associated with their attacks.the experts conclude.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button