Believed to be a Chinese-based nation-backed group, the cyberespionage actors under the group name ‘Billbug’ has been seen launching a targeted campaign against government agencies, certificate authorities, and defence organisations in many Asian countries.
The researchers said that the most recent campaigns launched by the threat group were since at least last March, but records show that their operations have been active for over a decade ago.
Aside from targeting Asian government agencies, the Billbug group has also struck a certificate authority firm that allowed them to deploy signed malware, making it challenging for security detection to spot or decrypt HTTPS traffic.
The Billbug group exploits known vulnerabilities in public-facing apps to gain initial access.
Although the researchers have not gained enough proof of how the Billbug group gained initial access to the victims’ networks, some evidence revealed that they had exploited public-facing applications with known vulnerabilities.
The cyberespionage group utilises numerous tools to help them blend benign activities with malicious ones, including WinRAR, Port Scanner, Winmail, AdFind, Ping, Tracert, Route, Certutil, and NBTscan. These tools will also help the hackers avoid suspicions or raise the alarms of security tools.
Researchers also found the group using ‘Stowaway,’ a Go-lang-based multilevel proxy tool commonly used by pentesters to bypass network access restrictions.
Based on reports, the most recent custom backdoors used by the Billbug group were Hannotog and Sagerunex, which had helped researchers pin the group’s latest attack campaigns.
The Hannotog backdoor can change the firewall settings of a compromised machine to enable all traffic, establish persistence, upload encrypted data to a remote server, run CMD commands, and download files.
On the other hand, the Sagerunex backdoor injects itself in an ‘explorer[.]exe’ process and then writes logs on a local temp folder encrypted with the AES algorithm in 256-bit. This backdoor also connects to the threat operators’ C2 server via HTTPS to send files and a list of active proxies. Meanwhile, it will receive additional payloads and shell commands from Billbug.
Over the past years of observed campaigns from the Billbug group, they still used the two custom backdoors with minimal changes.
