Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberespionage Group ‘Billbug’ Targets Certificate Authority

A Chinese state-sponsored cyberespionage group tracked as Billbug has been observed targeting a certificate authority in Asia, along with other entities, Symantec reports.

A Chinese state-sponsored cyberespionage group tracked as Billbug has been observed targeting a certificate authority in Asia, along with other entities, Symantec reports.

Also tracked as Lotus Blossom and Thrip, Billbug is an advanced persistent threat (APT) actor mainly targeting entities in Southeast Asia and the United States. It’s believed to have been active since at least 2009.

Starting March 2022, the group has been targeting multiple entities in Asia, including a certificate authority, a government organization, and defense agencies.

“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic,” Symantec notes.

According to the security company, however, there is no evidence to suggest that the threat actor has managed to successfully compromise digital certificates.

As part of the observed attacks, the APT used multiple public tools and custom malware, including AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Stowaway Proxy Tool, Tracert, Winmail, and WinRAR, as well as the Hannotog and Sagerunex backdoors identified in 2019.

The Hannotog backdoor, Symantec explains, can update firewall settings, create a service for persistence, stop running services, upload encrypted data, harvest system information, and download files to the machine.

The Sagerunex backdoor, which uses multiple methods of communication with the command and control (C&C) server, supports commands to list running proxies, execute programs, steal files or drop files, and get configured file paths.

Advertisement. Scroll to continue reading.

“While we do not see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor, indicating that data theft is the most likely motivation in this campaign. The victims in this campaign – government agencies and a certificate authority – also point to an espionage and data-theft motive,” Symantec notes.

The cybersecurity firm also points out that the threat actor likely targeted government victims for espionage purposes, and likely hit the certificate authority to steal legitimate digital certificates.

“This is potentially very dangerous, as if Billbug is able to sign its malware with a valid digital certificate it may be able to bypass security detections on victim machines. The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Symantec concludes.

Related: New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers

Related: Chinese Cyberespionage Group ‘Witchetty’ Updates Toolset in Recent Attacks

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.