According to a new report published by Kaspersky Lab, the China-linked APT group Spring Dragon (aka Lotus Blossom, Elise, and Esile) has used more than 600 malware samples in its attacks over the past years.
The Spring Dragon APT group is a state-sponsored group that has been around since at least 2012, but further evidence collected by the researchers suggests that it may have been active since 2007.
The APT group focused its cyber espionage campaigns on military and government organizations in Southeast Asia.
In June 2015, Trend Micro published a report on a targeted attack campaign of the group that hit organizations in various countries in the Southeast Asian region. The experts speculated the involvement of state-sponsored hackers due to the nature of the stolen information.
“The Esile targeted attack campaign targeting various countries in the Southeast Asian region has been discussed in the media recently. This campaign – which was referred to by other researchers as Lotus Blossom – is believed to be the work of a nation-state actor due to the nature of the stolen information, which is more valuable to countries than either private companies or cybercriminals.” wrote Trend Micro.
In October 2015, the Lotus Blossom group launched a new espionage campaign using fake invitations to Palo Alto Networks’ Cybersecurity Summit held in Jakarta, on November 3.
Back to the present, researchers from Kaspersky Lab were informed by a research partner in Taiwan of a new wave of attacks powered by the APT group.
“Information about the new attacks arrived from a research partner in Taiwan and we decided to review the actor’s tools, techniques and activities.” states the analysis from Kaspersky Lab.
“Using Kaspersky Lab telemetry data we detected the malware in attacks against some high-profile organizations around the South China Sea.”
The hackers also targeted political parties, educational institutions, and companies in the telecommunications industry.
Most infections were observed in countries around the South China Sea, including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia, and Thailand.
Spring Dragon is known for spear phishing and watering hole attacks, malware researchers at Kaspersky Lab collected a large set composed of more than 600 malware samples used in different attacks.
The APT group has a huge cyber arsenal, it has been developing and updating its range of tools throughout across the years. The hackers have various backdoor modules with unique characteristics and functionalities, it manages a large Command and Control infrastructure that includes more than 200 unique IP addresses and C&C domains.
Most C&C servers used by Spring Dragon are located in Hong Kong and the United States, other servers have also been found in Germany, China and Japan.
“The large number of samples which we have managed to collect have customized configuration data, different sets of C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service for malware on a victim’s system. This is designed to make detection more difficult.” continues the analysis.
“All the backdoor modules in the APT’s toolset are capable of downloading more files onto the victim’s machine, uploading files to the attacker’s servers, and also executing any executable file or any command on the victim’s machine. These functionalities enable the attackers to undertake different malicious activities on the victim’s machine.”
The analysis of the malware compilation timestamps revealed that attackers might be in the GMT+8 time zone, the same of countries like China, Indonesia, Malaysia, Mongolia, Singapore, Taiwan, the Philippines and Western Australia.
Another interesting information emerged from the analysis is that the malware has been compiled by two different groups, one of which may be in Europe.
“It also suggests that either there is a second group working another shift in the same time zone or the attackers are cross-continental and there is another group, possibly in Europe. The uneven distribution of timestamps (low activity around 10am, 7-8pm UTC) suggests that the attackers didn’t change the timestamps to random or constant values and they might be real.” states the analysis.
“The number of malware samples which we managed to collect (over 600) for the group surpassed many others, and suggests an operation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums to any buyers, although, to date, we haven’t seen this.”
(Security Affairs – cyber espionage, Spring Dragon APT)