The Chinese Advanced Persistent Threat (APT) group Lotus Blossom (also known as Billbug) is credited with a sophisticated espionage campaign This article explores exe downloaded suspicious. . In order to deliver a unique, previously undiscovered backdoor known as "Chrysalis," the threat actors breached the infrastructure supporting the well-known text editor Notepad++.

Ivan Feigl, a researcher at Rapid7, discovered this campaign, which mainly targets Southeast Asian and Central American government, telecommunications, aviation, and critical infrastructure organizations. The investigation started with a security incident caused by the execution of a malicious file called update[. ]exe, which was downloaded from a suspicious IP address (95.179.213[. ]0) after notepad++[.

]exe and GUP[. ]exe (the generic updater for Notepad++) were executed legitimately. Forensic analysis showed that update[. ]exe is an NSIS installer, a tool that Chinese APTs frequently abuse for initial payload delivery.

Chain of Attack (Source: Rapid7) When the installer runs, it drops a number of files, including BluetoothService.exe and log.dll, and makes a hidden directory called "Bluetooth" in the %AppData% folder.

File Indicators SHA-256 Hash Description update.exe a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 Malicious NSIS Installer used for the first payload delivery [NSIS. [nsi] 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e BluetoothService.exe, the extracted NSIS installation script, is 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924. renamed Bitdefender Submission Wizard (sideloading using a legitimate binary) Bluetooth Service 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e Shellcode file log.dll, encrypted 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7aBluetoothService.exe u.bat 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 sideloads a malicious DLL.

Temporary batch file used for self-deletion/cleanup conf.c f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a C source file containing shellcode bytes (Metasploit block API) libtcc.dll 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 Library for Tiny C Compiler, used to compile/run conf.c admin 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd File retrieved from api.wiresguard.com, related to second-stage shellcode loader1 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd Variant loader sample found in public repositories uffhxpSy 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 Loader 1 loader2 shellcode e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda Variant loader sample found in public repositories 3yzr31vk 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 Shellcode associated with Loader 2 ConsoleApplication2.exe b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 Loader 3; uses Microsoft Warbird for the ConsoleApplication shellcode execution system 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd2.exe fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a s047t5g.exe Loader 3 Network Indicators and Loader 4 variant sample sharing shellcode Context Indicator Type 95.179.213.0 IP Address Host for api.skycloudcenter.com update.exe download Chrysalis Backdoor C2 domain: api.wiresguard.com Cobalt Strike Beacon Domain C2 61.4.102.97 IP Address Resolution for api.skycloudcenter.com (Malaysia) 59.110.7.32 IP Address C2 IP linked to Loader 1 124.222.137.114 IP Address C2 that is connected to the loader Two MITRE ATT&CK TTPs with ATT&CK ID T1204.002 Malicious File T1036 was executed by the user. T1027 Masquerading Obfuscated Data or Files T1027.007 Obfuscated Data or Files: Dynamic API Resolution T1140 File or Information Decoding/Decoding T1574.002 DLL Side-Loading T1106 Native API T1055 Process Injection T1620 Reflective Code Loading T1059.003 Windows Command Shell T1083 File and Directory Discovery is a command and scripting interpreter.

T1005 Local System Data Transfer T1105 Ingress Tool Transfer T1041 Exfiltration Through C2 Channel T1071.001 Application Layer Protocol: HTTP/HTTPS Encrypted Channel T1573 Boot or Logon Autostart T1547.001 Execution: T1543.003 Registry Run Keys For daily cybersecurity updates, create or modify the following system processes: Windows Service T1480.002 Execution Guardrails: Mutual Exclusion T1070.004 Indicator Removal on Host: File Deletion, LinkedIn, and X.

To have your stories featured, get in touch with us.