CyberWire Daily - Billbug infests government agencies. [Research Saturday]
Episode Date: January 21, 2023Brigid O. Gorman from Symantec's Threat Hunter Team joins Dave to discuss their report "Billbug - State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." The... team has discovered that state-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted. The research states they believe Billbug, which is a long-established advanced persistent threat (APT) group has been active since about 2009. They say "In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity." The research can be found here: Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
Billbook does have quite a long history.
So that activity we published on in 2018 that concerned Billbook at that time, it was targeting
organizations in the communications,
the geospatial imaging and defense sectors, primarily in Southeast Asia. And that's really
a hallmark, I would say, of Billbug in general. That's Bridget O'Gorman. She's a senior
intelligence analyst at Symantec's Threat Hunter team. The research we're discussing today is
titled Billbug. State-sponsored actor targets cert authority and government agencies in multiple Asian countries.
So yeah, when we first published about Billbug in 2018, we were tracking this activity under the name Thrip.
However, we subsequently did
further investigations into this group and we came to the conclusion that this activity we
were referring to as Thrip and Billbug was really all likely the same group and kind of all likely
the same activity. So now we track all this activity under the Billbug name. And in that activity we published about in 2018, Billbug was at that time
targeting organizations in the communications, geospatial imaging and defense sectors, primarily
in Southeast Asia. And this is really quite typical now of Billbug's activity. Those are
sort of hallmarks of its preferred victims. It does primarily go after organizations based in Asia,
primarily Southeast Asia, and communications, defense, government,
those are the sectors this group appears to be primarily interested in.
And its primary motivation in all these instances
does appear to be espionage.
However, in this 2018 activity, there was a notable discovery
in that when Bill Book had targeted this satellite communications operator and also in the geospatial imaging and mapping company, they did show an interest in the operational sides of those companies.
And they were looking at computers that in the satellite communications company, they were targeting computers that ran the software that monitored and controlled satellites.
computers that ran the software that monitored and controlled satellites. So there was kind of speculation at that time that there may have been a disruption motivation behind that particular
campaign as well. Although Bill Book primarily is considered to be an espionage actor. In that 2018
campaign as well, we saw the group using a mix of living off the land, dual use tools, as well as
custom malware. And that's very much a hallmark of how it operates as well. We see that in all the campaigns you've seen BuildBook carry out. We've seen them using that mix of
Julius Reliving Off The Land tools as well as their own custom malware.
Well, let's go through the attack chain together. I mean,
how does one find themselves falling victim to this group?
Well, it's not always clear how they gain access to victim machines initially, but in this
particular campaign, this most recent campaign that we saw, there were some indications that the
attackers were exploiting public-facing applications to gain initial access to victim
networks. And then we did see them in this campaign, as we have seen them in previous campaigns,
using multiple dual use tools living off
the land tools. As I've already said that's very much a hallmark of their activity and in this
particular campaign some of the dual use tools we saw them using were tools we often see being
leveraged I suppose by malicious actors. You know we saw them using Adfind that's a publicly
available tool it can be used to query active, but we do see it often used by attackers to help them map a network. We also saw
them using WinRAR. Again, we often see this used by malicious actors. It can be used to archive or
zip up files, for example, prior to exfiltration if you're a malicious actor. And we did also see
them using SearchUtil, another very commonly kind
of abused tool that we see misused by malicious actors. And that's a Microsoft Windows utility
that can be used for various different purposes by malicious actors. It can be used to download
files and to install browser root certificates and things like that. So they use all these
various Julius living off the land tools, as well as deploying their own custom malware,
which they do now use as well.
And now a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars
on firewalls and VPNs, yet breaches
continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024. These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And what are the backdoors that they're using here
and what are the capabilities?
Yeah, so in this most recent campaign, we saw them using two backdoors that we
did previously see them using as well in the 2019 campaign that they carried out as well.
So those backdoors are Hanatoge as well as another backdoor called Sage, I was never 100% sure how to
pronounce this one, but Sage Runex.
And those were both tools we saw being used previously in the 2019 activity.
And that is how we sort of linked,
you know, we were able to link all this activity
to Buildbug basically,
but was with the usage,
by seeing the usage of these tools in both campaigns.
And basically the Hanatoog is a loader essentially.
Yeah, the Hanatoog is a loader and Sage Renews. The Hanatoog is a loader, essentially. Yeah, the Hanatoog is a loader.
And SageRenukes, the Hanatoog is a custom backdoor.
And that can give the attackers basically
this kind of persistence presence on victim networks.
SageRenukes then is kind of a,
it's a fairly resilient backdoor.
It can implement multiple forms of communication
with the command and control server.
It's quite a powerful backdoor in that way.
But interestingly, in this particular campaign, in this most recent activity, we saw this analyzed sample that had no hardfigured
configuration. So it had to be dropped onto the machine by a loader malware, such as Hanatoge.
So that is likely why we see these kind of two tools being used together in this way.
So once we see this kind of sample, the payload dropped to the machine, we see it write logs,
which are encrypted to a temporary file. We see this encryption key which is hard-coded and we saw
this previously used as well with a previous sample of this malware. So again, we were able
to connect that to previous billboard activity. And we saw
the structure of the payload once it was downloaded then. We saw it was
decrypted and kind of what it does, I guess,
depends on the command id once it is downloaded
and it's capable of carrying out various commands it can execute programs or dlls or commands it can
steal local files it can drop files to a specified path as well as returning a list of currently
configured proxies on the machine to the attackers as well. So it can carry up various different, has various different
capabilities, I suppose, basically. And while we don't see data being exfiltrated in this campaign,
Bill Book is widely regarded as being an espionage actor. So it's most likely that data theft was the
motivation in this campaign. And obviously, the targets in this campaign as well also point
to espionage being the most likely motivation for these campaign as well also point to espionage
being the most likely motivation for these attackers as well.
And so what are your recommendations for organizations
to best protect themselves here?
Billabug is quite a sophisticated actor.
So it can be, you know, I think the organizations it goes after
tends to be, I suppose, highly targeted.
They're very interested in specific groups. They're very interested in specific groups.
They're very interested in specific sectors, in specific geographies.
So those are kind of the areas that need to be worried about billboard.
But as it's a, I suppose, you know, it's an actor that uses a lot of living off the land tools.
It uses a lot of dual use tools.
of living off the land tools.
It uses a lot of dual use tools.
So it's important that organizations have that kind of multi-step security software in place
so that they're watching out
for this kind of suspicious activity,
that it's not just a matter of detecting the malware.
It's finding that suspicious activity,
dual use tools being used in an unusual way and
little tools that are already on your computer being used in a non-typical manner so it's
important to have that kind of multi-layer security stack so that you can detect this
kind of suspicious activity so you can stop it I suppose before the malware is even dropped onto
your computer which is which is key I think for these kinds of attacks because Julius tools living
off the land tools we see them used so often now
by these kind of sophisticated nation state actors
as well as ransomware actors.
Our thanks to Bridget O'Gorman
from Symantec's Threat Hunter team for joining us.
The research is titled Billbug, state-sponsored actor targets cert authority and government agencies in multiple Asian countries.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire's Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Vermatzis,
Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson, Bennett Moe, Catherine Murphy,
Janine Daly, Jim Hochite, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening. We'll see you back here next week.