Researchers uncovered that State-Sponsors APT hackers called “Billbug” attacked and compromise the digital certificate authority in multiple Asian countries along with other government and defense agencies.

An ongoing campaign attributed to the infamous APT group Billbug, also known as Lotus Blossom and Thrip. This APT group has been active since 2009, and it has previous attack records found in the 2018 and 2019 periods when they employed backdoors called Hannotog and Sagerunex.


The same backdoor activities have been found in the recent campaign that targets the government and CA networks. Researchers believe that the attackers compromised a large number of victims through this campaign.

A successful compromise of Certificate Authority is potentially dangerous because that allows attackers to issue a valid digital certificate to sign malware and evade detection and also lets attackers intercept the HTTPS traffic.

Malware Attack Infection Chain

During the investigation of the campaign, researchers found that the attackers employed the extensive use of both dual-use and living-off-the-land tools.

Also, some of the indications say that APT hackers initially attacked and exploited the publicly facing systems and further moved to the victim’s networks.

There are several publicly available tools of the following have been used in this attack:

  • AdFind – A publicly available tool that is used to query Active Directory.
  • Winmail – Can open winmail.dat files.
  • WinRAR – An archive manager that can be used to archive or zip files – for example, prior to exfiltration.
  • Ping – A tool that is freely available online that can allow users to determine if a specific location on a network is responding.
  • Tracert – A network tool that can be used to determine the “path” packets take from one IP address to another.
  • Route – A path for sending packets through the internet network to an address on another network.
  • NBTscan – Open-source command-line NetBIOS scanner.
  • Certutil – Microsoft Windows utility that can be used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates.
  • Port Scanner – This allows an attacker to determine what ports are open on a network and could potentially be used to send and receive data.

Also, another notable activity by this APT group is that they are using a Penetration Testing tool called Stowaway used among the penetration testers community, and the tool has been written in the Go language. but this is not an unusual thing, as threat actors often use penetration testing tools for the attacks..

Upon the technical analysis, Sagerunex backdoor that believed to be dropped by the loader malware, and it has featured the ability to communicate with the help of its C&C server.

Researchers from Symantec analyzed the sample and found logs that encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 and is used for network communication.

“The main motivation of this campaign believe to steal data from the target such as CA and government victims, and the targeting of the government victims is most likely driven by espionage motivations, with the certificate authority likely targeted in order to steal legitimate digital certificates” Symantec briefs in a blog post shared with Cyber Security news.

The fact that the attackers behind this campaign have the ability to compromise multiple targets at once, There are several highly skilled actors involved.

Indicators of Compromise

  • 072022b54085690001ff9ec546051b2f60564ffbf5b917ac1f5a0e3abe7254a5
  • 0cc6285d4bfcb5de4ebe58a7eab9b8d25dfcfeb12676b0c084e8705e69f6f281
  • 148145b9a2e3f3abdc6c2d3de340eabc82457be67fb44cfa400a5e7bd2f88760
  • 2a4302e61015fdf5f65fbd456249bafe96455cd5cc8aefe075782365b9ae3076
  • 3585a5cbbf1b8b3206d7280355194d5442ed997f61e061fd6938a93163c79507
  • 37fe8efe828893042e4f1db7386d20fec55518a3587643f54d4c3ec82c35df6d
  • 3c35514b27c57a46a5593dbbbfceddbc49979b20fddc14b68bf4f0ee965a7c59
  • 3dd7b684024941d5ab26df6730d23087037535783e342ee98a3934cccddb8c3e
  • 64c546439b6b2d930f5aced409844535cf13f5c6d24e0870ba9bc0cf354d8c11
  • 79f9f25b15e88c47ce035f15dd88f18ecc11e1319ff6f88568fdd0d327ad7cc1
  • 7fe67567a5de33166168357d663b85bd452d64a4340bdad29fe71588ad95bf6f
  • 80a8a9a2e91ead0ae5884e823dca73ef9fce59ff96111c632902d6c04401a4fe
  • 861d1307913d1c2dbf9c6db246f896c0238837c47e1e1132a44ece5498206ec2
  • 8f7c74a9e1d04ff116e785f3234f80119d68ae0334fb6a5498f6d40eee189cf7
  • a462085549f9a1fdeff81ea8190a1f89351a83cf8f6d01ecb5f238541785d4b3
  • adb61560363fcda109ea077a6aaf66da530fcbbb5dbde9c5923a59385021a498
  • bcc99bc9c02e1e2068188e63bc1d7ebe308d0d12ce53632baa31ce992f06c34a
  • b631abbfbbc38dac7c59f2b0dd55623b5caa1eaead2fa62dc7e4f01b30184308
  • c4a7a9ff4380f6b4730e3126fdaf450c624c0b7f5e9158063a92529fa133eaf2
  • e4a460db653c8df4223ec466a0237943be5de0da92b04a3bf76053fa1401b19e
  • f7ea532becda13a1dcef37b4a7ca140c56796d1868867e82500e672a68d029e4
  • f969578a0e7fe90041d2275d59532f46dee63c6c193f723a13f4ded9d1525c6b
  • fea2f48f4471af9014f92026f3c1b203825bb95590e2a0985a3b57d6b598c3ff

Also Check: Penetration Testing As a Service – Download Red Team & Blue Team Workspace

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.