Advanced Persistent Threat (APT) type attacks continue to emerge on a global scale. What makes these attacks deviate from the norm is often the resources required to develop and implement them: time, money, and the knowledge required to create custom pieces of malware to carry out specific, targeted attacks.
Operation Lotus Blossom is one of the more recent APT attacks that has been discovered and analyzed. It is an advanced adversary campaign against mostly government and state sponsored entities in the Philippines, Hong Kong, Vietnam and Indonesia. It is thought that this group carried out the attack to gain a geo-political advantage by stealing specific information from government and military institutions in that area. At this point it is still too early to tell if the reach of the attack will extend to the private sector (a la Stuxnet and Duqu).
How does the attack work?
It was found that Operation Lotus Blossom involved a novel custom-built malware toolkit that the authors named Elise. This piece of malware was designed with a number of unique functions, including the ability to:
- Evade sandbox detection
- Connect to and control servers
- Exfiltrate data
- Deliver 2nd stage malware payloads
As has been seen in the case of many advanced cyber espionage groups, it begins with a spear phishing email. The email contains information that is very authentic and applicable to government or military targets. For instance, it uses things like military rosters that targets expect to see. Once the victim sees the email and opens the attachment, a decoy document is presented that appears to be legitimate, however, what is actually happening is that a backdoor is being opened and malware is being installed on the victims machine. This gives the attacker a base of operations to conduct additional network reconnaissance, compromise new systems, as well as deliver second stage malware or exfiltrate data.
Impact on you
- Any type of malware installed on your network puts you at risk of compromise, especially one designed to steal data
- Once installed, Elise has the ability to infect other machines and continue to deliver additional malware variants as needed
- Elise is specifically designed to steal data, putting you and your clients’ sensitive information at risk
How AlienVault helps
AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result. The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can detect activity from Elise. Learn more about this threat intelligence update and others in our forum.
[su_box title=”About AlienVault” style=”glass” box_color=”#6cc727″]AlienVault’s mission is to enable organizations with limited resources to accelerate and simplify their ability to detect and respond to the growing landscape of cyber threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by threat intelligence from AlienVault Labs and the AlienVault Open Threat Exchange—the world’s largest crowd-sourced threat intelligence network — AlienVault USM delivers a unified, simple and affordable solution for threat detection, incident response and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield& Byers, GGV Capital, Intel Capital, Sigma West, Adara Venture Partners, Top Tier Capital and Correlation Ventures.
AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.For more information visit www.AlienVault.com[/su_box]