CyberSecurity news
FlagThis
@socprime.com
//
The Billbug espionage group, also known as Lotus Blossom, Lotus Panda, and Bronze Elgin, is actively targeting government and critical sectors in Southeast Asia through a coordinated cyber intrusion campaign. Security researchers at Symantec have uncovered that this China-linked group compromised multiple organizations within a single Southeast Asian country between August 2024 and February 2025. The campaign marks a continuation of previously documented attacks in the region, showcasing the persistent threat posed by state-sponsored actors.
The attackers are employing sophisticated techniques, including DLL sideloading, to infiltrate systems. They are exploiting legitimate software from reputable vendors like Trend Micro and Bitdefender to load malicious loaders. Specifically, a Trend Micro binary named tmdbglog.exe is being used to sideload a malicious DLL named tmdglog.dll, which decrypts and executes further malicious code. Similarly, a Bitdefender binary, bds.exe, is abused to sideload a harmful file called log.dll. This DLL decrypts another file, winnt.config, and injects its payload into a Windows system process, systray.exe.
The targets of this campaign include a government ministry, an air traffic control organization, a telecommunications provider, and a construction company. Additionally, the group has targeted a news agency in another Southeast Asian country and an air freight organization in a neighboring country. The attackers are using new custom tools, including loaders, credential stealers, and a reverse SSH tool. Indicators of compromise (IOCs) related to Billbug activity have been identified, linking this campaign to the group's known tactics and infrastructure. These findings underscore the need for robust security measures and threat intelligence sharing to defend against such advanced cyber espionage efforts.
ImgSrc: socprime.com
References :
The attackers are employing sophisticated techniques, including DLL sideloading, to infiltrate systems. They are exploiting legitimate software from reputable vendors like Trend Micro and Bitdefender to load malicious loaders. Specifically, a Trend Micro binary named tmdbglog.exe is being used to sideload a malicious DLL named tmdglog.dll, which decrypts and executes further malicious code. Similarly, a Bitdefender binary, bds.exe, is abused to sideload a harmful file called log.dll. This DLL decrypts another file, winnt.config, and injects its payload into a Windows system process, systray.exe.
The targets of this campaign include a government ministry, an air traffic control organization, a telecommunications provider, and a construction company. Additionally, the group has targeted a news agency in another Southeast Asian country and an air freight organization in a neighboring country. The attackers are using new custom tools, including loaders, credential stealers, and a reverse SSH tool. Indicators of compromise (IOCs) related to Billbug activity have been identified, linking this campaign to the group's known tactics and infrastructure. These findings underscore the need for robust security measures and threat intelligence sharing to defend against such advanced cyber espionage efforts.
ImgSrc: socprime.com
Share:
References :
- industrialcyber.co: Billbug espionage group targets government, critical sectors in coordinated Southeast Asia cyber intrusion campaign
- socprime.com: ESET’s Q2-Q3 2024 APT Activity Report highlights China-affiliated groups leading global APT operations, with campaigns aimed at intelligence gathering being among the most common and persistent threats.
Classification:
- HashTags: #Espionage #Billbug #DLLSideLoading
- Company: Trend Micro, Bitdefender, Symantec
- Target: Southeast Asian Governments
- Attacker: Billbug
- Feature: DLL Side Loading
- Type: Espionage
- Severity: Major