FortiGuard Labs is aware of a report that APT group “Billbug” compromised a certificate authority (CA) as well as multiple government and defense organizations in Asia. Also known as Lotus Blossom and Thrip, the APT group reportedly has been active since 2009 and uses custom backdoor malware “Hannotog” and “Sagerunex” as well as available tools in compromised machines.Why is this Significant?This is significant because Billbug APT threat actor group targeted a certificate authority (CA). Should digital certificates be compromised, the attacker could use them to sign malware for detection evasion by security solutions and eavesdrop on HTTPS communications.Also, the reports indicate that multiple organizations in government and defense sectors in Asia were compromised by Billbug APT. What is Billbug APT?Billbug, Lotus Blossom and Thrip, is a threat actor that has been reportedly active since at last 2009 and has interests in U.S. organizations as well as government, defense, and communications organizations in Southeast Asia. Their primary motive is thought to be information espionage.Billbug APT employs living-off-the-land techniques and uses custom malware. The tools that were reportedly used by Billbug APT are the following:Hannotog backdoorSagerunex backdoorAdFindCertutilLogMeInMimikatzNBTscanPingPort ScannerPowerShellPsExecRouteTracertWinmailWinRARWinSCPWhat is the Status of Coverage?FortiGuard Labs detects the files in the report with the following AV signatures:W32/Agent.QTP!trW32/Elsentric.J!trW32/Generic.A!trW32/PossibleThreatW64/Agentb.F!trW64/Agent.LF!trW64/Elsentric.E!trW64/Elsentric.G!trMalicious_Behavior.SBPossibleThreat.PALLAS.HRiskware/Kryptik
More Stories
USN-6771-1: SQL parse vulnerability
It was discovered that SQL parse incorrectly handled certain nested lists. An attacker could possibly use this issue to cause...
ZDI-24-441: Delta Electronics CNCSoft-B DOPSoft Uncontrolled Search Path Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-B. User interaction is required...
ZDI-24-440: Delta Electronics InfraSuite Device Master ActiveMQ Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is...