Posted on May 3, 2022 at 5:59 PM
Chinese Lotus Panda Hackers Resurface With More Sophisticated Attacks
The popular cyber espionage group Lotus Panda (also known as Override Panda or Naikon) seems to have resurfaced after many thought they have gone into extinction. The group is believed to have originated in China in 2010 and is concentrating its attack on several South-East nations such as Singapore, Malaysia, and Thailand.
Naikon became popular in 2015 when its malware was discovered, which resulted in the arrest of some of its key members.
Following the series of arrests made, the group was thought to have disbanded. But several reports have shown that they have regrouped, and were discovered carrying out cyber espionage across countries like the Philippines and Indonesia.
Recently, the Override Panda group has been discovered carrying out spy campaigns on governmental organizations and institutions across South-East Asia. Reports noted that the organizations being targeted by the group are mainly involved in foreign affairs, science, and technology.
The Group Plans To Carry Long-Term Cyber Espionage
Cybersecurity research firm Cluster25 stated that after observing Lotus Panda’s hacking arsenal, it was evident that the group plans to carry out long-term espionage and cyber intelligence operations. This is common for groups that focus their attention on foreign governments and their officials. The group has also increased its sophistication since the last time it was active.
The research firm noted that to maximize the result and avoid detection, the group changed its tactics, techniques, and procedures (TTP) and attack tools. The upgrade can help to keep the malware in the victim’s computer for a longer time without being detected.
They have also increased their attacking methods to include spear-phishing emails sent over the past few months to targeted institutions and organizations. The group has been discovered using a shellcode, which is used by threat actors to deliver a payload that can take full control of a compromised computer or device.
South-East Asian Government Organizations Are Likely Targets
Although Cluster25 admitted that it is not confirmed that the group has intended targets for the attacks, it claimed that the likely target is government organizations.
The researchers added that based on the previous history of the attack carried out by the group, the target is likely a government institution from a South Asian country.
The email the hackers used for the phishing attack is written in Chinese and claims to be a genuine reply to a call for tenders for the purchase of protective firewall equipment. This sounds ironic, considering the true intention of the hackers.
Also, Lots Panda utilized open-source software tools like Asset reconnaissance Lighthouse (ARL) and Viper, with their supporting documentation written in Mandarin. As a result, it is believed that the codes were developed by a Chinese programmer.
The recent campaign discovered by Cluster25 has the same attack similarity as the previous ones, as it utilizes Microsoft Office documents to begin its infiltration killchain. Viper is available for download on GitHub and it’s described as a “graphical intranet penetration tool”
“Viper modularizes and weaponizes the tactics and technologies commonly used in the process of intranet penetration,” Cluster25 noted.
The firm added that ARL is a tool used to assist penetration testers or security teams in retrieving assets to find out existing vulnerabilities and attack surfaces.
The tools are utilized by hackers when they want to generate payloads and gain more details about a target via a process known as website fingerprinting. Its framework is similar to the popular Cobalt Strike and features more than 80 modules that enable initial access and persistence.
Naikon Group Linked To Several Cyber Espionages In The Past
Attack chains launched by the threat group include the use of attached lure documents designed to entice the targeted victims to open and unknowingly open the door for malware in their systems. Once the target clicks on the link or opens the attached document, the malware silently installs in the victim’s system without their knowledge. It can remain there for a long time executing various types of commands, including stealing important data from several files in the compromised computer.
In April last year, the Naikon group was linked to a widespread cyber-espionage campaign launched against military organizations in the South-East Asian region. Four months later, the group was also linked to another cyber espionage activity that targeted the telecom sector in the region. The researchers noted that the group is now more potent and highly sophisticated to attack different top-value targets in Asia.
