Actor Profiling
Threat Actor: Lotus Blossom (aka Lotus Panda, Billbug)
Active Since: 2009
Target: Government and military targets in South Asia.
TTPs
Initial Access
T1190 – Exploit Public-Facing Application
Accessed via exposed internet-facing systems.
T1566 – Phishing
Targeted phishing emails to deliver malicious payloads.
T1078 – Valid Accounts
Used stolen credentials to log in as legitimate users.
Execution
T1059 – Command and Scripting Interpreter
T1204 – User Execution (phishing-triggered payload execution)
T1129 – Shared Modules
Malicious DLLs were loaded through legitimate executables.
Persistence
T1547.001 – Registry Run Keys
Modified Windows Registry to maintain execution during startup.
T1543.003 – Windows Service
Ran malware as a service for long-term access.
Defense Evasion
T1574.002 – DLL Side-Loading
Hijacked legitimate executables (Trend Micro, Bitdefender) to load malicious DLLs.
T1070.006 – Timestamp
Manipulated file timestamps using tools like Datechanger.exe.
T1036 – Masquerading
Blended malicious activity with trusted vendor binaries.
Credential Access
T1555.003 – Credentials from Web Browsers
ChromeKatz / CredentialKatz extracted saved passwords and cookies from Chrome.
T1003 – OS Credential Dumping
Lateral Movement
T1021 – Remote Services
Used stolen credentials to move across systems.
Command and Control (C2)
T1572 – Protocol Tunneling
Used Zrok peer-to-peer tunneling to expose internal systems.
T1090 – Proxy
Tunneled internal traffic externally.
T1571 – Non-Standard Port
T1090.001 – Internal Proxy
T1071.004 – Application Layer Protocol: SSH
Deployed Custom reverse SSH over port 22 for remote control.

Recommendations
Strengthen Email Security: Implement advanced email filtering solutions capable of detecting and blocking phishing attempts, especially those involving spoofed domains and deceptive content. Enable DMARC, SPF, and DKIM to validate sender authenticity.
Deploy Advanced Endpoint Protection: Utilize Endpoint Detection and Response (EDR) tools to monitor suspicious activities, such as DLL sideloading and unauthorized registry modifications, which are tactics employed by Sagerunex. Ensure that all endpoints have up-to-date antivirus and anti-malware solutions to detect and prevent known threats.
Credential Protection: Enforce strong password policies, multi-factor authentication (MFA), and monitor for the use of credential dumping tools like ChromeKatz and CredentialKatz.
Enhance Network Monitoring: Implement continuous monitoring for unusual network traffic and suspicious activity, especially around port 22 and the use of tunneling tools like Zrok, which may indicate covert access or exfiltration attempts.
Patch Management: Ensure that all public-facing applications and systems are regularly scanned for vulnerabilities and patched promptly to prevent exploitation by threat actors.
Analysis of Malware Sample
A malware sample linked to Lotus Blossom in the Notepad++ was analysed

The file contained an executable file named "BluetoothService.exe" which is a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading. It also included a file called "BluetoothService" that is an encrypted shellcode, and a malicious DLL sideloaded by BluetoothService.exe.
Bitdefender Submission Wizard was used to sideload "log.dll" for decrypting and executing additional payload.

The BluetoothService.exe contained different folders

The. rsrc folder was available, the other files were not supported. Upon opening, it contained different folders.

The txt file showed the actual file name, pointing to Bitdefender








.png)
.png)