Lotus Blossom APT Exploits WMI for Post-Exploitation Activities
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The Lotus Blossom Advanced Persistent Threat (APT) group, also known as Lotus Panda, Billbug, and Spring Dragon, has intensified its cyberespionage efforts with new variants of the Sagerunex backdoor.<\/p>\n
These developments highlight the group\u2019s evolving tactics, including leveraging Windows Management Instrumentation (WMI) for post-exploitation activities and employing legitimate cloud services for command-and-control (C2) communications. <\/p>\n
The group\u2019s recent campaigns primarily target government entities across the Asia-Pacific (APAC) region.<\/p>\n
Lotus Blossom\u2019s attack chain begins with initial access achieved through spear-phishing<\/a>, watering hole attacks, or exploiting vulnerabilities in public-facing applications. <\/p>\n Once inside a network, the group utilizes WMI to facilitate lateral movement. This technique enables attackers to execute commands on remote systems without deploying additional malware, making detection more challenging.<\/p>\n On compromised machines, the attackers deploy a suite of tools, including RAR archivers for data compression, custom proxy utilities like Venom for traffic relaying, and Chrome cookie stealers for credential harvesting. <\/p>\n Reconnaissance commands such as If direct internet access is unavailable, the group uses proxy configurations or deploys Venom to route traffic through other infected hosts.<\/p>\n Persistence is achieved by installing Sagerunex backdoor variants into the Windows Registry<\/a>. These variants masquerade as legitimate system services by hijacking trusted service names like \u201ctapisrv\u201d and \u201cswprv.\u201d<\/p>\n The backdoor is configured to run automatically upon system startup, ensuring long-term access.<\/p>\n The Sagerunex backdoor demonstrates advanced evasion techniques by utilizing legitimate platforms such as Dropbox, Twitter (X), and Zimbra for C2 communications. <\/p>\n According to Picus Security,<\/a> these platforms allow attackers to blend malicious traffic with normal user activity.<\/p>\n For example:<\/p>\n These methods complicate detection by traditional network monitoring solutions. Additionally, encrypted communication channels further obscure malicious activity from intrusion detection systems.<\/p>\n Organizations must adopt a multi-layered defense approach to mitigate the risks posed by Lotus Blossom:<\/p>\n The Lotus Blossom APT group\u2019s sophisticated use of WMI, legitimate cloud platforms, and stealthy persistence mechanisms underscores the need for robust cybersecurity measures tailored to counter advanced threat actors.<\/p>\n The post Lotus Blossom APT Exploits WMI for Post-Exploitation Activities<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\ntasklist<\/code>, ipconfig<\/code>, and netstat<\/code> are executed to gather system and network information. <\/p>\nCommand-and-control via Legitimate Platforms<\/strong><\/h2>\n
\n
.rar<\/code> files.<\/li>\n\n
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n