Key Points
- Chinese APT group Lotus Blossom targeted Notepad++ users.
- Custom malware ‘Chrysalis’ was used in the espionage campaign.
- Targets included government and critical infrastructure sectors.
Espionage Campaign Overview
A recent sophisticated cyber espionage operation, linked to the Chinese Advanced Persistent Threat (APT) group known as Lotus Blossom, has compromised Notepad++ users. The campaign involves deploying a custom-designed backdoor, dubbed ‘Chrysalis’, through compromised infrastructure. This operation has primarily affected entities in sectors such as government, telecommunications, and aviation across Southeast Asia and Central America.
The breach was uncovered by Ivan Feigl, a researcher from Rapid7. The initial investigation was triggered by a security incident involving the execution of a malicious file named update[.]exe. This file was downloaded from a suspicious IP address, 95.179.213[.]0, after the legitimate Notepad++ and its updater were executed.
Technical Details of the Attack
The malicious update[.]exe file is an NSIS installer, a tool that Chinese APTs commonly exploit for delivering initial payloads. Upon execution, it creates a hidden directory in the %AppData% folder named ‘Bluetooth’, where several files, including BluetoothService.exe and log.dll, are dropped.
The BluetoothService.exe file is a legitimate Bitdefender Submission Wizard binary but is misused by the attackers for DLL sideloading. This technique forces the binary to load the malicious log.dll instead of the genuine library, which in turn decrypts and executes the Chrysalis backdoor.
Chrysalis Backdoor Capabilities
The Chrysalis backdoor is a sophisticated piece of malware designed for long-term infiltration. It employs several advanced techniques, such as custom encryption and API hashing, to evade detection. It communicates with its command and control server over HTTPS, mimicking legitimate network traffic to avoid raising suspicions.
- Interactive Shell: Capable of spawning a reverse shell.
- File Operations: Includes reading, writing, and deleting files.
- Process Execution: Can launch remote processes.
- Self-Removal: Includes a mode for removing itself from the system.
Advanced Techniques and Attribution
The attack chain also includes a loader variant that uses Microsoft Warbird, a complex code protection framework, to obscure its execution flow. By exploiting the NtQuerySystemInformation system call, the loader decrypts and runs shellcode in a manner that bypasses user-mode hooks and standard monitoring tools.
Attribution to Lotus Blossom is based on the use of specific techniques, such as Bitdefender sideloading, and shared cryptographic keys found in related malware.
Conclusion
This incident underscores the ongoing threat posed by advanced cyber actors targeting critical sectors. Organizations must remain vigilant and employ robust security measures to defend against such sophisticated attacks.
Frequently Asked Questions
Q: What is Chrysalis backdoor?
A: Chrysalis is a custom backdoor used by the APT group for long-term infiltration and data exfiltration.
Q: How does the attack affect Notepad++ users?
A: The attack compromises the infrastructure hosting Notepad++, potentially targeting users in specific sectors.
Q: What sectors are most at risk?
A: Government, telecommunications, and aviation sectors are primarily targeted.
Q: How can organizations protect themselves?
A: Implementing advanced security measures and monitoring unusual network activity can help mitigate such threats.
Q: Who is attributed to this attack?
A: The attack is attributed to the Chinese APT group Lotus Blossom with moderate confidence.
