Ethical Hacking News
Lotus Panda, a China-linked cyber espionage group, has been linked to a series of attacks on government ministries, air traffic control organizations, telecoms operators, and construction companies in an unnamed Southeast Asian country. The attackers used custom-made tools, including loaders, credential stealers, and reverse SSH, to breach these targets.
The Lotus Panda group, linked to China, has been involved in various malicious activities including hacking and malware distribution.The group compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025.The attacks used custom tools such as loaders, credential stealers, and a reverse SSH tool.The attackers leveraged legitimate executables to sideload malicious DLL files.The attack cluster is linked to an updated version of Sagerunex, a tool that harvests target host information and exfiltrates it to an external server.Two credential stealers were deployed in the attacks to siphon passwords and cookies from Google Chrome.The attackers used a reverse SSH tool and modified timestamps for files to evade detection.The Lotus Panda group has been linked to various cyber espionage campaigns since at least 2009.
The cyber espionage landscape has witnessed numerous attacks in recent years, but a recent campaign attributed to the Lotus Panda group has garnered significant attention. This group, believed to be linked to China, has been involved in various malicious activities, including hacking and malware distribution.
In a new report shared with The Hacker News, Symantec Threat Hunter Team revealed that the Lotus Panda group had compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. These targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company.
According to the report, the attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool. The attackers also leveraged legitimate executables from Trend Micro ("tmdbglog.exe") and Bitdefender ("bds.exe") to sideload malicious DLL files, which act as loaders to decrypt and launch a next-stage payload embedded within a locally stored file.
The attack cluster is also linked to an updated version of Sagerunex, a tool exclusively used by Lotus Panda. This tool comes with capabilities to harvest target host information, encrypt it, and exfiltrate the details to an external server under the attacker's control. Additionally, two credential stealers ChromeKatz and CredentialKatz were deployed in the attacks, which are equipped to siphon passwords and cookies stored in the Google Chrome web browser.
The attackers also used a reverse SSH tool, and another legitimate tool called "datechanger.exe" that is capable of changing timestamps for files. The use of this tool aims to muddy the waters for incident analysts.
Lotus Panda has been linked to various cyber espionage campaigns in Southeast Asia, with its origins dating back to at least 2009. In June 2015, Palo Alto Networks attributed the threat actor to a persistent spear-phishing campaign that exploded a Microsoft Office flaw (CVE-2012-0158) to distribute a backdoor dubbed Elise (aka Trensil). Subsequent attacks have weaponized a Microsoft Windows OLE flaw (CVE-2014-6332) via a booby-trapped attachment sent in a spear-phishing email.
The latest wave of attacks highlights the continued threat posed by Lotus Panda and its sophisticated tactics. The group's ability to evade detection and deploy custom-made tools makes it a significant concern for organizations in Southeast Asia. It is essential for these entities to remain vigilant and implement robust security measures to prevent similar breaches.
In conclusion, the Lotus Panda group's recent campaign demonstrates its ongoing involvement in cyber espionage activities. Its use of sophisticated tools and tactics highlights the importance of staying informed about emerging threats and maintaining robust security protocols to mitigate such risks.
Related Information:
https://www.ethicalhackingnews.com/articles/Lotus-Panda-A-China-Linked-Cyber-Espionage-Group-Exploits-Southeast-Asian-Governments-and-Organizations-ehn.shtml
Published: Mon Apr 21 23:53:01 2025 by llama3.2 3B Q4_K_M
