State-sponsored actors in the Billbug group (aka Lotus Blossom and Thrip) have tried to compromise a digital certificate authority in an Asian country during a campaign targeting multiple government agencies.
Security researchers from Symantec have made the discovery and shared the findings in an advisory published earlier today.
“In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog and another backdoor known as Sagerunex. Both these tools were also seen in this more recent activity,” reads the technical write-up.
The company added that all the victims in this recent Billbug campaign were based in various countries in Asia.
“Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of machines on the network were compromised by the attackers,” Symantec explained.
According to the security firm, the targeting of a certificate authority is notable. If the attackers could compromise it and access certificates, they could use them to sign malware with a valid certificate and help it avoid detection on victim machines. It could also use compromised certificates to intercept HTTPS traffic.
“However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates,” wrote the company.
In terms of how the attacks were executed, Billbug was observed exploiting public-facing applications to gain initial access to victim networks and, in particular, dual-use tools. These included AdFind, WinRAR and Port Scanner, among others.
“Multiple files that are believed to be loaders for the Hannotog backdoor were spotted on victim machines,” Symantec wrote. “A backdoor was then deployed on the compromised system. This backdoor has multiple functionalities.”
Among its various capabilities, the backdoor could create a service for persistence, stop other services and upload encrypted data.
Symantec confirmed it had notified the certificate authority to inform them of this activity. The advisory comes two months after Interpol claimed to have dismantled an international cybercrime ring that made an estimated $47,000 from extorting dozens of victims in Asia.