The **Lotus Panda** threat actor has been found targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan, with updated versions of the **Sagerunex** backdoor.

## Analysis by Cisco Talos
According to Cisco Talos researcher Joey Chen, in an analysis published last week, “Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite.”

## Background of Lotus Panda
Lotus Panda, also known as **Billbug**, **Bronze Elgin**, **Lotus Blossom**, **Spring Dragon**, and **Thrip**, is a suspected Chinese hacking crew that’s been active since at least 2009. The threat actor was first exposed by Symantec in June 2018.

## Attack Vector

In late 2022, Broadcom-owned Symantec detailed the threat actor’s attack on a digital certificate authority as well as government and defense agencies located in different countries in Asia that involved the use of backdoors like **Hannotog** and **Sagerunex**.

## Latest Attack Intrusions
The exact initial access vector used to breach the entities in the latest set of intrusions is not known, although it has a history of conducting **spear-phishing** and **watering hole attacks**. The unspecified attack pathway serves as a conduit for the Sagerunex implant, which is assessed to be an evolution of an older **Billbug** malware known as **Evora**.

## New Variants of Sagerunex
The activity is noteworthy for the use of two new “beta” variants of the malware, which leverage legitimate services like **Dropbox**, **X**, and **Zimbra** as command-and-control (C2) tunnels to evade detection. They have been so-called due to the presence of debug strings in the source code.

## Sagerunex Backdoor

The backdoor is designed to gather target host information, encrypt it, and exfiltrate the details to a remote server under the attacker’s control. The Dropbox and X versions of Sagerunex are believed to have been put to use between 2018 and 2022, while the Zimbra version is said to have been around since 2019.

## Command and Control
“The Zimbra webmail version of Sagerunex is not only designed to collect victim information and send it to the Zimbra mailbox but also to allow the actor to use Zimbra mail content to give orders and control the victim machine,” Chen said.

## Attack Strategy
“If there is a legitimate command order content in the mailbox, the backdoor will download the content and extract the command, otherwise the backdoor will delete the content and wait for a legitimate command.”

## Data Exfiltration
The results of the command execution are subsequently packaged in the form of an RAR archive and attached to a draft email in the mailbox’s draft and trash folders.

## Additional Tools

Source Link