Lotus Blossom Uses Sagerunex for Long-Term Access

Multiple cyber espionage campaigns discovered by Cisco Talos have been linked to the threat actor known as Lotus Blossom (aka DRAGONFISH, Spring Dragon, Billbug, Raspberry Typhoon, Thrip) with "high confidence" attribution. Talos researcher Joey Chen reports these operations have primarily been attributed to the group "due to the presence of the Sagerunex backdoor within these operations," a tool that has been in use since at least 2016. Lotus Blossom has a history of targeting government, manufacturing, telecommunications, and media organizations in regions such as Vietnam, Hong Kong, Taiwan, and the Philippines. The group’s objective is long-term espionage, maintaining persistence within compromised environments for extended periods. Cisco Talos reports that Lotus Blossom has continued to evolve its tactics, techniques, and procedures (TTPs), developing new Sagerunex variants that integrate with legitimate third-party cloud services for command and control (C2), including Dropbox, Twitter, and Zimbra webmail.

The initial stages of a reported Lotus Blossom attack chain involve reconnaissance using native Windows binaries to collect information on the compromised system. The attacker executes commands such as “net,” “tasklist,” “quser,” “ipconfig,” “netstat,” and “dir” to assess the environment. Once reconnaissance is complete, the attacker determines whether the system has internet access. "If internet access is restricted, then the actor has two strategies: using the target's proxy settings to establish a connection or using the Venom proxy tool to link the isolated machines to internet-accessible systems," reports Talos. Various payloads were often staged in the "public\pictures" subfolder, an accessible directory that helps the attacker evade detection. Persistence is achieved through Windows registry modifications, where specific keys are added using “reg add” commands to secure the installation of the Sagerunex backdoor and configure it to run as a system service. Verification of installation was evident from 'reg query' commands.

The Sagerunex malware family exhibits various capabilities and operational checks upon execution. Cisco Talos' analysis found that one of its key features includes a system time check to evade sandbox detection. "For example, one variant checks if it operates during working hours (e.g. 10:00 am to 7:00 pm), while another ensures that the system hours do not exceed the system minutes." Sagerunex also incorporates a proxy configuration component to ensure reliable C2 communication. A beta version of the malware was found to contain additional debug strings, providing insight into the attacker's development process. Meanwhile, other Sagerunex variants integrate with Dropbox and Twitter APIs, using them as C2 channels. Cisco Talos found that the configuration file for these versions includes Dropbox tokens, Twitter tokens, and original file paths that appear to originate from the attacker’s machine. While this backdoor variant was predominantly active between 2018 and 2022, evidence suggests that it remains in use today.

A notable evolution of Sagerunex includes a Zimbra webmail-based variant designed to facilitate both data exfiltration and remote command execution. This version connects to a legitimate Zimbra mail service, logging in with stored credentials to obtain authentication tokens. Once access is secured, the backdoor captures system information, compresses it into a RAR archive, and saves it as "mail_report.rar." This file is then attached to an email draft, effectively using the mailbox as a staging area for exfiltrated data. Additionally, the backdoor checks the mailbox for specific command content. If a valid command is detected, it is executed on the compromised system, and the results are sent back to the attacker in the form of another encrypted RAR file. Cisco Talos notes that this Zimbra-based variant has been operational since 2019 and continues to be active, with multiple Zimbra mailboxes still receiving beacon communications from infected hosts.

Lotus Blossom’s ongoing campaigns demonstrate adaptability, employing multiple persistence techniques, advanced reconnaissance methods, and diverse C2 infrastructures. Their continued use of Sagerunex, alongside the development of cloud-integrated variants, reflects their strategic emphasis on long-term espionage. Organizations in targeted industries should implement robust detection and monitoring mechanisms, focusing on identifying the specific tactics and registry modifications associated with these operations. Cisco Talos' analysis reinforces the need for proactive threat hunting and incident response measures to mitigate the persistent and evolving threats posed by Lotus Blossom.