Research Saturday 1.21.23
Ep 265 | 1.21.23

Billbug infests government agencies.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Brigid O Gorman: Billbug does have quite a long history. So that activity we published on in 2018, that concern, Billbug - at that time, it was targeting organizations in the communications, the geospatial imaging and defense sectors, primarily in Southeast Asia. And that's really a hallmark, I would say, of Billbug in general. 

Dave Bittner: That's Brigid O Gorman. She's a senior intelligence analyst at Symantec's Threat Hunter team. The research we're discussing today is titled "Billbug: State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." 

Brigid O Gorman: So yeah, when we first published about Billbug in 2018, we were tracking its activity under the name Thripp. However, we subsequently did further investigations into this group. We came to the conclusion that this Thripp - this activity we were referring to as Thripp and Billbug was really all likely the same group and kind of all likely the same activity. So now we track all this activity under the Billbug name. And in that activity we published about in 2018, Billbug was at that time targeting organizations in the communications, geospatial imaging and defense sectors, primarily in Southeast Asia, and this is really quite typical now of Billbug's activity. Those are sort of hallmarks of its preferred victims. It does primarily go after organizations based in Asia, primarily Southeast Asia, and communications, defense, government. Those are the sectors this group appears to be primarily interested in. Its primary motivation in all of these instances does appear to be espionage. 

Brigid O Gorman: However, in this relating activity, there was a notion of discovery in that when Billbug had targeted this satellite communications operator and also in the geospatial imaging and mapping company, they did show an interest in the operational side of those companies. They were looking at computers that - in the satellite communications company, they were targeting computers that ran the software that monitored and controls satellites. So there was kind of speculation at that time that there may have been a disruption motivation behind that particular campaign as well, although Billbug, primarily, it is considered to be an espionage actor. In that 2018 campaign as well, we saw the group using a mix of Living off the Land dual-use tools as well as custom malware, and that's very much a hallmark of how it operates as well. We see that in all the campaigns we've see Billbug carry out. We've seen them using that mix of dual-use living-off-the-land tools as well as their own custom malware. 

Dave Bittner: Well, let's go through the attack chain together. I mean, how does one find themselves falling victim to this group? 

Brigid O Gorman: Well, it's not always clear how they gain access to victim machines initially, but in this particular campaign, this most recent campaign that we saw, there were some indications that the attackers were exploiting public-facing applications to gain initial access to victim networks. And then we did see them in this campaign, as we have seen them in previous campaigns, using multiple dual-use tools, Living off the Land tools. As we - as I've already said, that's very much a hallmark of their activity. In this particular campaign, some of the dual-use tools we saw them using were tools we often see being leveraged, I suppose, by malicious actors. You know, we saw them using AdFind. That's a publicly available tool. It can be used to query Active Directory, but we do see it often used by attackers to help them map a network. 

Brigid O Gorman: We also saw them using WinRAR. Again, we often see this used by malicious actors. It can be used to archive or ZIP files, for example, prior to exfiltration if you're a malicious actor. We did also see them using search util, and those are a very commonly kind of abused tool that we see misused by malicious actors, and that's a Microsoft Windows utility that can be used for various different purposes by malicious actors. It can be used to download files and to install browser certificates and things like that. So they use all these various dual-use living off the land tools as well as deploying their own custom malware, which they do now use as well. 

Dave Bittner: And what are the backdoors that they're using here and what are the capabilities? 

Brigid O Gorman: Yeah, so we saw - in this most recent campaign, we saw them using two backdoors that we did previously see them using as well in the 2019 campaign that they carried out as well, so those backdoors are Hannotog as well as another back door called - I'm always never 100% sure how to pronounce this one, but Sagerunex. And those were both tools we saw being used previously in the 2019 activity, and that is how we sort of linked - you know, we were able to link all this activity to Billbug, basically - was with the usage by seeing the usage of these tools in both campaigns, and basically the Hannotog is a loader essentially. Yeah. Back - the Hannotog is a loader, and Sagerunex - Hannotog is a custom backdoor, and that can give these hackerspaces kind of persistent presence on victim networks. Sagerunex, then, is kind of a - it's a fairly resilient back door. It can implement multiple forms of communication with the command-and-control server. It's kind of a powerful backdoor in that way. But interestingly, in this particular campaign, in this most recent activity, we saw this analyzed sample that has no hard configuration, so it had to be dropped onto the machine by a loader malware such as Hannotog. So that is likely why we see these kind of two tools being used together in this way. 

Brigid O Gorman: So once we see this kind of sample, the payload dropped to the machine. We see it write logs to try and encrypt it to a temporary file. We see this encryption key, which is hardcoded, and we saw this previously used as well with a previous sample of this malware. So again, we were able to connect that to previous Billbug activity, and we saw the structure of the payload once it was downloaded then. We saw it was decryptors, and kind of its - what it does, I guess, depends on the command ID once it is downloaded. And it's capable of carrying out various commands. It can execute programs or DLLs or commands. It can steal local files. It can drop files to a specified path as well as returning a list of currently configured proxies on the machine to the attackers as well. So it can carry out various different - has various different capabilities, I suppose, basically. And while we don't see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor. So it's most likely that they just have lost motivation in this campaign. And obviously, the targets in this campaign as well also points to espionage being the most likely motivation for these attackers as well. 

Dave Bittner: And so what are your recommendations for organizations to best protect themselves here? 

Brigid O Gorman: Billbug is quite a sophisticated actor, so it can be - you know, I think the organizations it goes after tend to be, I suppose, highly targeted. They're very interested in specific groups. They're very interested in specific sectors in specific geographies, so those are kind of the areas that need to be worried about Billbug. But as a, I suppose - you know, it's an actor that uses a lot of living-off-the-land tools. It uses a lot of dual-use tools. 

Brigid O Gorman: So it's important that organizations have that kind of multi-step security software in place so that they're watching out for this kind of suspicious activity, that it's not just a matter of, you know, detecting the malware, it's - so I am finding that suspicious activity dual-use tools being used in an unusual way, lay-low tools that are already on your computer being used in a non-typical manner. So it's important to have that kind of multi-layer security stack so that you can detect this kind of suspicious activity so you can stop it, I suppose, before the malware is even dropped onto your computer, which is key, I think, for these kinds of attacks because dual-use tools, living-off-the-land tools, we see them used so often now by these kind of sophisticated nation-state actors as well as ransomware actors. 

Dave Bittner: Our thanks to Brigid O Gorman from Symantec's Threat Hunter Team for joining us. The research is titled "Billbug: State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." We'll have a link in the show notes. 

Dave Bittner: The CyberWire's "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.