"The targeted malware campaign leverages decoys related to the recent geopolitical developments between the U.S. and Venezuela to distribute a ZIP archive ("US now deciding what's next for Venezuela.zip") containing a malicious DLL that's launched using DLL side-loading techniques. It's not known if the campaign managed to successfully compromise any of the targets. The activity has been attributed with moderate confidence to a Chinese state-sponsored group known as Mustang Panda (aka Earth Pret, HoneyMyte, and Twill Typhoon), citing tactical and infrastructure patterns."
"The backdoor ("kugou.dll") employed in the attack, LOTUSLITE, is a bespoke C++ implant that's designed to communicate with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs to enable beaconing activity, remote tasking using "cmd.exe," and data exfiltration. The complete list of supported commands is as follows - 0x0A, to initiate a remote CMD shell 0x0B, to terminate the remote shell 0x01, to send commands via the remote shell"
A targeted malware campaign used politically themed decoys about U.S.-Venezuela developments to distribute a ZIP archive named "US now deciding what's next for Venezuela.zip" containing a malicious DLL. The DLL was launched via DLL side-loading to execute a backdoor named LOTUSLITE (kugou.dll). Activity was attributed with moderate confidence to the Chinese state-sponsored Mustang Panda group based on tactical and infrastructure patterns. LOTUSLITE is a C++ implant that uses Windows WinHTTP APIs to beacon to a hard-coded C2 server, enable remote tasking via cmd.exe, and exfiltrate data. LOTUSLITE supports commands for remote shell control, file enumeration and manipulation, beacon management, and status queries, and can persist via Windows Registry modifications. It remains unknown whether any targets were successfully compromised.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]