Lotus Blossom

Type: Nation-State-Sponsored

Lotus Blossom APT Status: Believed Inactive

Lotus Blossom APT Other Names: Operation Lotus Blossom/ Spring Dragon/ ST Group/ LStudio/ APToLSTU

Malware:
custom Trojan backdoor called “Elise” or “Page” malware (BKDR_ESILE)
-At least three variants; all use separate, but connected, C2 infrastrucuture
Evades detection, detects virtual environments, connects to C2 for additional instruction, exfiltrates data
-Encrypted binary configuration data structure containing a list of C2 servers to contact
-A campaign identifier that identifies the specific malware reporting to the C2 server
-C2 communications using a custom format delivered over HTTP or HTTPS
-Upon installation, performs basic network reconnaissance, and sends data to C2
-Ability to execute commands, DLLs, and executables
Read and write files
-Update configuration and upload configuration data
-The malware
-The malware injects itself into iexplore.exe, decrypts an embedded DLL located in its resource section (‘XDATA’) and writes this DLL to a new section of memory in iexplore.exe
Elise delivered as malicious payload to decoy attachment
-The document is usually a personnel roster for a specific military or government office
-May also use the LStudio or Evora tools

Preferred Attack Vector: Spear-phishing and watering-hole attacks

SPRINGDRAGON