Inside The Latest Billbug Operations In Southeast Asia

The China-linked threat group Billbug (aka Lotus Blossom, Bronze Elgin) has conducted a prolonged intrusion campaign across Southeast Asia from August 2024 to February 2025, targeting key government and critical infrastructure entities. Leveraging sophisticated sideloading techniques and a mix of new and known malware, the group continues its focus on cyber espionage against strategic sectors.

Severity Level: High

Threat Overview:

• Initial Access: Likely via spear-phishing or watering hole attacks (not explicitly detailed in this campaign, but consistent with Billbug’s history).
• Execution: Attackers executed legitimate software binaries (e.g., from Trend Micro and Bitdefender) to initiate malicious activity.
• Technique: DLL Sideloading
  • Executables Used: tmdbglog.exe (Trend Micro), bds.exe (Bitdefender)
  • Malicious DLLs: tmdglog.dll, log.dll

These DLLs decrypted and executed embedded payloads from disk (TmDebug.log, winnt.config).

• Sagerunex Backdoor: A custom tool exclusively used by Billbug. The backdoor establishes persistence by modifying the registry and ensuring that it would run as a service.
• Other Tools Used:
  • ChromeKatz & CredentialKatz – Steal credentials and cookies from Chrome
  • Reverse SSH Tool – Establishes covert access over port 22
  • Zrok – Enables remote access to services that were exposed internally
  • datechanger.exe – Used to modify timestamps of files & binaries to obfuscate forensic timelines.
• Target sectors: government, ministry, air traffic control, telecom, news agency, air freight, and construction.
• Target regions: Southeast Asia.

Recommendations:

• Monitor for trusted binaries loading unexpected DLLs from non-standard paths (e.g., %TEMP% or C:\Windows\Temp\).
• Enforce the use of AppLocker or WDAC to allow only approved software execution, especially in admin or sensitive environments.
• Ensure antivirus and endpoint protection products have up-to-date signatures, particularly from vendors like Symantec, Bitdefender, and Trend Micro who are targeted in this campaign.
• Enforce policies that prevent password storage in browsers.
• Promote use of enterprise password managers with MFA.
• Detect suspicious persistence mechanisms, such as new service entries in the Windows Registry created without standard system processes.
• Monitor for use of tools like DateChanger.exe, which modifies file metadata to obscure malicious activity.
• Block or alert on unauthorized outbound/inbound SSH traffic on port 22.
• Block the IOCs at their respective controls

https://www.virustotal.com/gui/collection/8e5fccefd67e7f5fe4b7957bbf1ca2edbddcd57e37ad833f6ec670f19684c005/iocs

Source:

• https://www.security.com/threat-intelligence/billbug-china-espionage

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.