The China-linked threat group Billbug (aka Lotus Blossom, Bronze Elgin) has conducted a prolonged intrusion campaign across Southeast Asia from August 2024 to February 2025, targeting key government and critical infrastructure entities. Leveraging sophisticated sideloading techniques and a mix of new and known malware, the group continues its focus on cyber espionage against strategic sectors.
Severity Level: High
Threat Overview:
- Initial Access: Likely via spear-phishing or watering hole attacks (not explicitly detailed in this campaign, but consistent with Billbug’s history).
- Execution: Attackers executed legitimate software binaries (e.g., from Trend Micro and Bitdefender) to initiate malicious activity.
- Technique: DLL Sideloading
- Executables Used: tmdbglog.exe (Trend Micro), bds.exe (Bitdefender)
- Malicious DLLs: tmdglog.dll, log.dll
These DLLs decrypted and executed embedded payloads from disk (TmDebug.log, winnt.config).
- Sagerunex Backdoor: A custom tool exclusively used by Billbug. The backdoor establishes persistence by modifying the registry and ensuring that it would run as a service.
- Other Tools Used:
- ChromeKatz & CredentialKatz – Steal credentials and cookies from Chrome
- Reverse SSH Tool – Establishes covert access over port 22
- Zrok – Enables remote access to services that were exposed internally
- datechanger.exe – Used to modify timestamps of files & binaries to obfuscate forensic timelines.
- Target sectors: government, ministry, air traffic control, telecom, news agency, air freight, and construction.
- Target regions: Southeast Asia.
Recommendations:
- Monitor for trusted binaries loading unexpected DLLs from non-standard paths (e.g., %TEMP% or C:\Windows\Temp\).
- Enforce the use of AppLocker or WDAC to allow only approved software execution, especially in admin or sensitive environments.
- Ensure antivirus and endpoint protection products have up-to-date signatures, particularly from vendors like Symantec, Bitdefender, and Trend Micro who are targeted in this campaign.
- Enforce policies that prevent password storage in browsers.
- Promote use of enterprise password managers with MFA.
- Detect suspicious persistence mechanisms, such as new service entries in the Windows Registry created without standard system processes.
- Monitor for use of tools like DateChanger.exe, which modifies file metadata to obscure malicious activity.
- Block or alert on unauthorized outbound/inbound SSH traffic on port 22.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/8e5fccefd67e7f5fe4b7957bbf1ca2edbddcd57e37ad833f6ec670f19684c005/iocs
Source:
- https://www.security.com/threat-intelligence/billbug-china-espionage
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
No related posts found.